From 62ed6aef97e4f84b004043b6bb3c132ffa7e2feb Mon Sep 17 00:00:00 2001
From: haradahinata <harahina3589@gmail.com>
Date: Mon, 18 May 2026 02:24:28 +0900
Subject: [PATCH 1/2] Escape DHL rate XML fields

---
 common/models/shipping/Dhlexpress.php | 41 +++++++++++++++-------
 tests/check-dhl-rate-xml-escaping.py  | 50 +++++++++++++++++++++++++++
 2 files changed, 78 insertions(+), 13 deletions(-)
 create mode 100644 tests/check-dhl-rate-xml-escaping.py

diff --git a/common/models/shipping/Dhlexpress.php b/common/models/shipping/Dhlexpress.php
index 2b807f220..301921687 100644
--- a/common/models/shipping/Dhlexpress.php
+++ b/common/models/shipping/Dhlexpress.php
@@ -97,14 +97,20 @@ public function getQuote($address) {
             $pieces = ShippingHelper::get_package_piece($dhl_packs);
             $weight_unit = 'KG';
             $dim_unit = 'CM';
-            $fetch_accountrates = ($rate_type == 'ACCOUNT') ? "<PaymentAccountNumber>" . $dhlexpress_account . "</PaymentAccountNumber>" : "";
+            $fetch_accountrates = ($rate_type == 'ACCOUNT') ? "<PaymentAccountNumber>" . $this->escapeXmlValue($dhlexpress_account) . "</PaymentAccountNumber>" : "";
 
             $mailing_date = date('Y-m-d');
             $mailing_datetime = date('c');
-            $origin_postcode_city = ShippingHelper::get_postcode_city($fromCountryCode, $fromCity, $fromPostcode);
+            $origin_postcode_city = ShippingHelper::get_postcode_city(
+                $fromCountryCode,
+                $this->escapeXmlValue($fromCity),
+                $this->escapeXmlValue($fromPostcode)
+            );
             //$total_value = $this->cart->get_total();
 
-            $dutiable_content = ($is_dutiable == "Y") ? "<Dutiable><DeclaredCurrency>{$selected_currency}</DeclaredCurrency><DeclaredValue>{$total_value}</DeclaredValue></Dutiable>" : "";
+            $declared_currency = $this->escapeXmlValue($selected_currency);
+            $declared_value = $this->escapeXmlValue($total_value);
+            $dutiable_content = ($is_dutiable == "Y") ? "<Dutiable><DeclaredCurrency>{$declared_currency}</DeclaredCurrency><DeclaredValue>{$declared_value}</DeclaredValue></Dutiable>" : "";
 
             //$insurance_details = ($this->config->get('shipping_dhlexpress_insurance') == true) ? "<InsuredValue>". $total_value ."</InsuredValue><InsuredCurrency>". $this->config->get('config_currency') ."</InsuredCurrency>" : "";
             //$additional_insurance_details = ($this->config->get('shipping_dhlexpress_insurance') == true)  ? "<QtdShp><QtdShpExChrg><SpecialServiceType>II</SpecialServiceType><LocalSpecialServiceType>XCH</LocalSpecialServiceType></QtdShpExChrg></QtdShp>" : ""; //
@@ -130,7 +136,11 @@ public function getQuote($address) {
                 }
             }*/
 
-            $destination_postcode_city = ShippingHelper::get_postcode_city($county_code_to, $to_city, $postcode);
+            $destination_postcode_city = ShippingHelper::get_postcode_city(
+                $county_code_to,
+                $this->escapeXmlValue($to_city),
+                $this->escapeXmlValue($postcode)
+            );
             $payment_country = $county_code_to;// $this->config->get('shipping_dhlexpress_country_code');
 
             /*if ( !empty($this->config->get('shipping_dhlexpress_pay_con')) && $this->config->get('shipping_dhlexpress_pay_con') == "R" ) {
@@ -149,31 +159,31 @@ public function getQuote($address) {
             $xml .= '			<ServiceHeader>';
             $xml .= '				<MessageTime>'.$mailing_datetime.'</MessageTime>';
             $xml .= '					<MessageReference>1234567890123456789012345678901</MessageReference>';
-            $xml .= '					<SiteID>'.$dhlexpress_key.'</SiteID>';
-            $xml .= '					<Password>'.$dhlexpress_password.'</Password>';
+            $xml .= '					<SiteID>'.$this->escapeXmlValue($dhlexpress_key).'</SiteID>';
+            $xml .= '					<Password>'.$this->escapeXmlValue($dhlexpress_password).'</Password>';
             $xml .= '			</ServiceHeader>';
             $xml .= '		</Request>';
             $xml .= '		<From>';
-            $xml .= '			<CountryCode>'.$fromCountryCode.'</CountryCode>';
+            $xml .= '			<CountryCode>'.$this->escapeXmlValue($fromCountryCode).'</CountryCode>';
             $xml .= '			'.$origin_postcode_city;
             $xml .= '		</From>';
             $xml .= '		<BkgDetails> ';
-            $xml .= '			<PaymentCountryCode>'.$payment_country.'</PaymentCountryCode>';
+            $xml .= '			<PaymentCountryCode>'.$this->escapeXmlValue($payment_country).'</PaymentCountryCode>';
             $xml .= '			<Date>'.$mailing_date.'</Date>';
             $xml .= '			<ReadyTime>PT10H21M</ReadyTime>';
-            $xml .= '			<DimensionUnit>'.$dim_unit.'</DimensionUnit>';
-            $xml .= '			<WeightUnit>'.$weight_unit.'</WeightUnit>';
+            $xml .= '			<DimensionUnit>'.$this->escapeXmlValue($dim_unit).'</DimensionUnit>';
+            $xml .= '			<WeightUnit>'.$this->escapeXmlValue($weight_unit).'</WeightUnit>';
             $xml .= '			<Pieces>';
             $xml .= '				'.$pieces;
             $xml .= '			</Pieces>';
             $xml .= '			'.$fetch_accountrates;
-            $xml .= '			<IsDutiable>'.$is_dutiable.'</IsDutiable>';
+            $xml .= '			<IsDutiable>'.$this->escapeXmlValue($is_dutiable).'</IsDutiable>';
             $xml .= '			<NetworkTypeCode>AL</NetworkTypeCode>';
             //$xml .= '			'.$additional_insurance_details;
             //$xml .= '			'.$insurance_details;
             $xml .= '		</BkgDetails>';
             $xml .= '		<To>';
-            $xml .= '			<CountryCode>'.$county_code_to.'</CountryCode>';
+            $xml .= '			<CountryCode>'.$this->escapeXmlValue($county_code_to).'</CountryCode>';
             $xml .= '			'.$destination_postcode_city;
             $xml .= '		</To>';
             $xml .= '		'.$dutiable_content;
@@ -261,4 +271,9 @@ public function getQuote($address) {
         }
         return $method_data;
     }
-}
\ No newline at end of file
+
+    private function escapeXmlValue($value)
+    {
+        return htmlspecialchars((string) $value, ENT_XML1 | ENT_QUOTES, 'UTF-8');
+    }
+}
diff --git a/tests/check-dhl-rate-xml-escaping.py b/tests/check-dhl-rate-xml-escaping.py
new file mode 100644
index 000000000..8889b140d
--- /dev/null
+++ b/tests/check-dhl-rate-xml-escaping.py
@@ -0,0 +1,50 @@
+from pathlib import Path
+
+
+dhl = Path("common/models/shipping/Dhlexpress.php")
+source = dhl.read_text(encoding="utf-8")
+
+required_snippets = [
+    "private function escapeXmlValue($value)",
+    "htmlspecialchars((string) $value, ENT_XML1 | ENT_QUOTES, 'UTF-8')",
+    "<PaymentAccountNumber>\" . $this->escapeXmlValue($dhlexpress_account) . \"</PaymentAccountNumber>",
+    "$this->escapeXmlValue($fromCity)",
+    "$this->escapeXmlValue($fromPostcode)",
+    "$this->escapeXmlValue($to_city)",
+    "$this->escapeXmlValue($postcode)",
+    "<DeclaredCurrency>{$declared_currency}</DeclaredCurrency>",
+    "<DeclaredValue>{$declared_value}</DeclaredValue>",
+    "'\t\t\t\t\t<SiteID>'.$this->escapeXmlValue($dhlexpress_key).'</SiteID>'",
+    "'\t\t\t\t\t<Password>'.$this->escapeXmlValue($dhlexpress_password).'</Password>'",
+    "'\t\t\t<CountryCode>'.$this->escapeXmlValue($fromCountryCode).'</CountryCode>'",
+    "'\t\t\t<PaymentCountryCode>'.$this->escapeXmlValue($payment_country).'</PaymentCountryCode>'",
+    "'\t\t\t<DimensionUnit>'.$this->escapeXmlValue($dim_unit).'</DimensionUnit>'",
+    "'\t\t\t<WeightUnit>'.$this->escapeXmlValue($weight_unit).'</WeightUnit>'",
+    "'\t\t\t<IsDutiable>'.$this->escapeXmlValue($is_dutiable).'</IsDutiable>'",
+    "'\t\t\t<CountryCode>'.$this->escapeXmlValue($county_code_to).'</CountryCode>'",
+]
+
+missing = [snippet for snippet in required_snippets if snippet not in source]
+if missing:
+    raise SystemExit(
+        "DHL Express XML is missing expected escaping snippets: "
+        + ", ".join(missing)
+    )
+
+unsafe_snippets = [
+    "<PaymentAccountNumber>\" . $dhlexpress_account . \"</PaymentAccountNumber>",
+    "ShippingHelper::get_postcode_city($fromCountryCode, $fromCity, $fromPostcode)",
+    "ShippingHelper::get_postcode_city($county_code_to, $to_city, $postcode)",
+    "'\t\t\t\t\t<SiteID>'.$dhlexpress_key.'</SiteID>'",
+    "'\t\t\t\t\t<Password>'.$dhlexpress_password.'</Password>'",
+    "'\t\t\t<CountryCode>'.$fromCountryCode.'</CountryCode>'",
+    "'\t\t\t<PaymentCountryCode>'.$payment_country.'</PaymentCountryCode>'",
+    "'\t\t\t<DimensionUnit>'.$dim_unit.'</DimensionUnit>'",
+    "'\t\t\t<WeightUnit>'.$weight_unit.'</WeightUnit>'",
+    "'\t\t\t<IsDutiable>'.$is_dutiable.'</IsDutiable>'",
+    "'\t\t\t<CountryCode>'.$county_code_to.'</CountryCode>'",
+]
+
+for unsafe_snippet in unsafe_snippets:
+    if unsafe_snippet in source:
+        raise SystemExit(f"DHL Express XML still writes raw value: {unsafe_snippet}")

From 5246a918e39be1eb2d1b456683597102a0ba473c Mon Sep 17 00:00:00 2001
From: haradahinata <harahina3589@gmail.com>
Date: Mon, 18 May 2026 05:15:19 +0900
Subject: [PATCH 2/2] Harden DHL XML escape guard test

---
 tests/check-dhl-rate-xml-escaping.py | 73 +++++++++++++++-------------
 1 file changed, 38 insertions(+), 35 deletions(-)

diff --git a/tests/check-dhl-rate-xml-escaping.py b/tests/check-dhl-rate-xml-escaping.py
index 8889b140d..9696e1a44 100644
--- a/tests/check-dhl-rate-xml-escaping.py
+++ b/tests/check-dhl-rate-xml-escaping.py
@@ -1,50 +1,53 @@
 from pathlib import Path
+import re
 
 
 dhl = Path("common/models/shipping/Dhlexpress.php")
 source = dhl.read_text(encoding="utf-8")
 
-required_snippets = [
-    "private function escapeXmlValue($value)",
-    "htmlspecialchars((string) $value, ENT_XML1 | ENT_QUOTES, 'UTF-8')",
-    "<PaymentAccountNumber>\" . $this->escapeXmlValue($dhlexpress_account) . \"</PaymentAccountNumber>",
-    "$this->escapeXmlValue($fromCity)",
-    "$this->escapeXmlValue($fromPostcode)",
-    "$this->escapeXmlValue($to_city)",
-    "$this->escapeXmlValue($postcode)",
-    "<DeclaredCurrency>{$declared_currency}</DeclaredCurrency>",
-    "<DeclaredValue>{$declared_value}</DeclaredValue>",
-    "'\t\t\t\t\t<SiteID>'.$this->escapeXmlValue($dhlexpress_key).'</SiteID>'",
-    "'\t\t\t\t\t<Password>'.$this->escapeXmlValue($dhlexpress_password).'</Password>'",
-    "'\t\t\t<CountryCode>'.$this->escapeXmlValue($fromCountryCode).'</CountryCode>'",
-    "'\t\t\t<PaymentCountryCode>'.$this->escapeXmlValue($payment_country).'</PaymentCountryCode>'",
-    "'\t\t\t<DimensionUnit>'.$this->escapeXmlValue($dim_unit).'</DimensionUnit>'",
-    "'\t\t\t<WeightUnit>'.$this->escapeXmlValue($weight_unit).'</WeightUnit>'",
-    "'\t\t\t<IsDutiable>'.$this->escapeXmlValue($is_dutiable).'</IsDutiable>'",
-    "'\t\t\t<CountryCode>'.$this->escapeXmlValue($county_code_to).'</CountryCode>'",
+required_patterns = [
+    r"private\s+function\s+escapeXmlValue\s*\(\s*\$value\s*\)",
+    r"htmlspecialchars\s*\(\s*\(string\)\s*\$value\s*,\s*ENT_XML1\s*\|\s*ENT_QUOTES\s*,\s*'UTF-8'\s*\)",
+    r"<PaymentAccountNumber>\"\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$dhlexpress_account\s*\)\s*\.\s*\"</PaymentAccountNumber>",
+    r"\$this->escapeXmlValue\s*\(\s*\$fromCity\s*\)",
+    r"\$this->escapeXmlValue\s*\(\s*\$fromPostcode\s*\)",
+    r"\$this->escapeXmlValue\s*\(\s*\$to_city\s*\)",
+    r"\$this->escapeXmlValue\s*\(\s*\$postcode\s*\)",
+    r"\$declared_currency\s*=\s*\$this->escapeXmlValue\s*\(\s*\$selected_currency\s*\)",
+    r"\$declared_value\s*=\s*\$this->escapeXmlValue\s*\(\s*\$total_value\s*\)",
+    r"<DeclaredCurrency>\{\$declared_currency\}</DeclaredCurrency>",
+    r"<DeclaredValue>\{\$declared_value\}</DeclaredValue>",
+    r"<SiteID>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$dhlexpress_key\s*\)\s*\.\s*'</SiteID>",
+    r"<Password>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$dhlexpress_password\s*\)\s*\.\s*'</Password>",
+    r"<CountryCode>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$fromCountryCode\s*\)\s*\.\s*'</CountryCode>",
+    r"<PaymentCountryCode>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$payment_country\s*\)\s*\.\s*'</PaymentCountryCode>",
+    r"<DimensionUnit>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$dim_unit\s*\)\s*\.\s*'</DimensionUnit>",
+    r"<WeightUnit>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$weight_unit\s*\)\s*\.\s*'</WeightUnit>",
+    r"<IsDutiable>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$is_dutiable\s*\)\s*\.\s*'</IsDutiable>",
+    r"<CountryCode>'\s*\.\s*\$this->escapeXmlValue\s*\(\s*\$county_code_to\s*\)\s*\.\s*'</CountryCode>",
 ]
 
-missing = [snippet for snippet in required_snippets if snippet not in source]
+missing = [pattern for pattern in required_patterns if not re.search(pattern, source)]
 if missing:
     raise SystemExit(
-        "DHL Express XML is missing expected escaping snippets: "
+        "DHL Express XML is missing expected escaping patterns: "
         + ", ".join(missing)
     )
 
-unsafe_snippets = [
-    "<PaymentAccountNumber>\" . $dhlexpress_account . \"</PaymentAccountNumber>",
-    "ShippingHelper::get_postcode_city($fromCountryCode, $fromCity, $fromPostcode)",
-    "ShippingHelper::get_postcode_city($county_code_to, $to_city, $postcode)",
-    "'\t\t\t\t\t<SiteID>'.$dhlexpress_key.'</SiteID>'",
-    "'\t\t\t\t\t<Password>'.$dhlexpress_password.'</Password>'",
-    "'\t\t\t<CountryCode>'.$fromCountryCode.'</CountryCode>'",
-    "'\t\t\t<PaymentCountryCode>'.$payment_country.'</PaymentCountryCode>'",
-    "'\t\t\t<DimensionUnit>'.$dim_unit.'</DimensionUnit>'",
-    "'\t\t\t<WeightUnit>'.$weight_unit.'</WeightUnit>'",
-    "'\t\t\t<IsDutiable>'.$is_dutiable.'</IsDutiable>'",
-    "'\t\t\t<CountryCode>'.$county_code_to.'</CountryCode>'",
+unsafe_patterns = [
+    r"<PaymentAccountNumber>\"\s*\.\s*\$dhlexpress_account\s*\.\s*\"</PaymentAccountNumber>",
+    r"ShippingHelper::get_postcode_city\s*\(\s*\$fromCountryCode\s*,\s*\$fromCity\s*,\s*\$fromPostcode\s*\)",
+    r"ShippingHelper::get_postcode_city\s*\(\s*\$county_code_to\s*,\s*\$to_city\s*,\s*\$postcode\s*\)",
+    r"<SiteID>'\s*\.\s*\$dhlexpress_key\s*\.\s*'</SiteID>",
+    r"<Password>'\s*\.\s*\$dhlexpress_password\s*\.\s*'</Password>",
+    r"<CountryCode>'\s*\.\s*\$fromCountryCode\s*\.\s*'</CountryCode>",
+    r"<PaymentCountryCode>'\s*\.\s*\$payment_country\s*\.\s*'</PaymentCountryCode>",
+    r"<DimensionUnit>'\s*\.\s*\$dim_unit\s*\.\s*'</DimensionUnit>",
+    r"<WeightUnit>'\s*\.\s*\$weight_unit\s*\.\s*'</WeightUnit>",
+    r"<IsDutiable>'\s*\.\s*\$is_dutiable\s*\.\s*'</IsDutiable>",
+    r"<CountryCode>'\s*\.\s*\$county_code_to\s*\.\s*'</CountryCode>",
 ]
 
-for unsafe_snippet in unsafe_snippets:
-    if unsafe_snippet in source:
-        raise SystemExit(f"DHL Express XML still writes raw value: {unsafe_snippet}")
+for unsafe_pattern in unsafe_patterns:
+    if re.search(unsafe_pattern, source):
+        raise SystemExit(f"DHL Express XML still writes raw value pattern: {unsafe_pattern}")