Fix: handle malformed UTF-8 in CatalogWidget cache key (#40824)

[lbajsarowicz]

Description (*)

Magento\CatalogWidget\Block\Product\ProductsList::getCacheKeyInfo() passes raw $_GET ($this->getRequest()->getParams()) to Magento\Framework\Serialize\Serializer\Json::serialize(). The serializer calls json_encode() with no JSON_INVALID_UTF8_* flag, so any malformed UTF-8 byte sequence in the query string raises JSON_ERROR_UTF8 and the serializer rethrows InvalidArgumentException: Unable to serialize value. Error: Malformed UTF-8 characters, possibly incorrectly encoded.

Because getCacheKeyInfo() is called from AbstractBlock::getCacheKey() → _loadCache() → toHtml(), the entire widget fails to render and Magento falls back to the generic "Sorry, we cannot generate the content..." template, while logging a CRITICAL entry to system.log on every hit.

Malformed UTF-8 in query strings is common in production traffic: truncated fbclid / gclid / dclid / utm_* tracking parameters from Facebook & Google Ads, broken share buttons, and bot scanners. No authentication or special preconditions are needed — a single crafted GET parameter is enough to break any CMS page hosting the widget.

This change scrubs invalid UTF-8 byte sequences in the request params via mb_convert_encoding($value, 'UTF-8', 'UTF-8') before serialization. Valid UTF-8 input is unchanged (identity transform), so existing cache keys are preserved; only previously-broken requests now produce a stable cache key instead of an exception. Scope is intentionally narrow — the fix is local to the widget cache key, where substitution is safe, rather than changing the global Json::serialize() contract (which is also used for stored data that must round-trip exactly).

Related Pull Requests

• N/A

Fixed Issues (if relevant)

1. Fixes Regression: Non UTF-8 encoded URI component still throws "Unable to serialize value" in CatalogWidget on 2.4.7-p5 #40824 — Regression: Non UTF-8 encoded URI component still throws "Unable to serialize value" in CatalogWidget on 2.4.7-p5

Related (same root cause, different code paths):

• Non UTF-8 encoded URI component throws error in CatalogWidget module #23760 — original report, previously closed via internal ticket MC-23846
• Magento_ReCaptcha... - Unable to serialize value. Error: Malformed UTF-8 characters, possibly incorrectly encoded #30486 — same defect via Magento_ReCaptcha
• Onepage Checkout getSerializedCheckoutConfig fails silently if json_encode fails #17934 — analogous silent json_encode failure in getSerializedCheckoutConfig

Manual testing scenarios (*)

1. Add a "Catalog Products List" widget to any CMS page (e.g. homepage).
2. Open the page with a malformed UTF-8 byte sequence in a query parameter:
   • https://example.test/?q=%C0%AF (overlong UTF-8 slash)
   • https://example.test/?dclid=%EDclid
   • https://example.test/?utm_source=%E0
   • https://example.test/?fbclid=foo%
3. Before the fix: widget is replaced by the generic CMS fallback message; var/log/system.log records CRITICAL: InvalidArgumentException: Unable to serialize value. Error: Malformed UTF-8 characters, possibly incorrectly encoded.
4. After the fix: widget renders normally; no entry is added to system.log; cache key is stable across repeated requests with the same malformed parameter (block cache works).

Questions or comments

Two alternative directions were considered:

• Changing Json::serialize() to pass JSON_INVALID_UTF8_SUBSTITUTE — rejected. The serializer is also used for stored data (config, quote items, persistent state) where silently substituting bytes could mask real upstream bugs and corrupt round-trips. The defect is at the call site, not the serializer.
• Hashing the params instead of serializing them — rejected for this PR. It would also help with cache fragmentation (every unique URL parameter creates a new cache entry), but it changes the cache key shape for every existing valid request and is out of scope for a regression fix.

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (where applicable)
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @lbajsarowicz. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

---

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

[ct-prd-pr-scan]

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email psirt@adobe.com.

[lbajsarowicz]

@magento run all tests

[lbajsarowicz]

@magento run all tests