diff --git a/Block/Adminhtml/Order/View/VendorNotes.php b/Block/Adminhtml/Order/View/VendorNotes.php
index 0dcd53c..8ab897d 100644
--- a/Block/Adminhtml/Order/View/VendorNotes.php
+++ b/Block/Adminhtml/Order/View/VendorNotes.php
@@ -6,27 +6,23 @@ use Magento\Sales\Model\Order;
use Magento\Framework\App\Config\ScopeConfigInterface;
use Magento\Store\Model\ScopeInterface;
use Magento\Framework\Serialize\Serializer\Json;
-use Magento\Framework\Filter\Template as FilterTemplate;
class VendorNotes extends Template
{
protected $_order;
protected $_scopeConfig;
protected $json;
- protected $filterTemplate;
public function __construct(
\Magento\Backend\Block\Template\Context $context,
\Magento\Sales\Model\Order $order,
ScopeConfigInterface $scopeConfig,
Json $json,
- FilterTemplate $filterTemplate,
array $data = []
) {
$this->_order = $order;
$this->_scopeConfig = $scopeConfig;
$this->json = $json;
- $this->filterTemplate = $filterTemplate;
parent::__construct($context, $data);
}
@@ -98,4 +94,20 @@ class VendorNotes extends Template
return [];
}
}
+
+ /**
+ * Filter output to allow safe HTML tags
+ *
+ * @param string $content
+ * @return string
+ */
+ public function filterOutputHtml($content)
+ {
+ // Decode HTML entities first in case the content was double-encoded
+ $content = html_entity_decode($content, ENT_QUOTES, 'UTF-8');
+
+ // Use Magento's filter to allow specific HTML tags
+ // This is safer than just echoing raw HTML
+ return $this->filterTemplate->filter($content);
+ }
}
\ No newline at end of file
diff --git a/view/adminhtml/templates/order/view/vendor_notes.phtml b/view/adminhtml/templates/order/view/vendor_notes.phtml
index 8a34c43..78d2ba8 100644
--- a/view/adminhtml/templates/order/view/vendor_notes.phtml
+++ b/view/adminhtml/templates/order/view/vendor_notes.phtml
@@ -15,7 +15,10 @@ $notes = $block->getVendorNotes();
- filterOutputHtml($note); ?>
+