Merge pull request #10144 from magento-gl/2.4.9-alpha3-develop-sync

AC-15854:: Sync 2.4.9-alpha3-develop with 2.4-develop

Author: glo71317

app/code/Magento/Backend/Block/Cache.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2013 Adobe
+ * Copyright 2011 Adobe
  * All Rights Reserved.
  */
 namespace Magento\Backend\Block;
@@ -35,7 +35,11 @@ protected function _construct()
         }
 
         if ($this->_authorization->isAllowed('Magento_Backend::flush_cache_storage')) {
-            $message = __('The cache storage may contain additional data. Are you sure that you want to flush it?');
+            $message = $this->escapeJs(
+                $this->escapeHtml(
+                    __('The cache storage may contain additional data. Are you sure that you want to flush it?')
+                )
+            );
             $this->buttonList->add(
                 'flush_system',
                 [

app/code/Magento/Backend/Block/System/Design/Edit.php

@@ -1,10 +1,13 @@
 <?php
 /**
- * Copyright 2013 Adobe
+ * Copyright 2011 Adobe
  * All Rights Reserved.
  */
 namespace Magento\Backend\Block\System\Design;
 
+use Magento\Framework\Escaper;
+use Magento\Framework\App\ObjectManager;
+
 /**
  * Edit store design schedule block.
  */
@@ -16,25 +19,35 @@ class Edit extends \Magento\Backend\Block\Widget
     protected $_template = 'Magento_Backend::system/design/edit.phtml';
 
     /**
-     * Core registry
+     * Application data storage
      *
      * @var \Magento\Framework\Registry
      */
     protected $_coreRegistry = null;
 
+    /**
+     * Escaper for secure output rendering
+     *
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * @inheritdoc
      *
      * @param \Magento\Backend\Block\Template\Context $context
      * @param \Magento\Framework\Registry $registry
      * @param array $data
+     * @param Escaper|null $escaper
      */
     public function __construct(
         \Magento\Backend\Block\Template\Context $context,
         \Magento\Framework\Registry $registry,
-        array $data = []
+        array $data = [],
+        ?Escaper $escaper = null
     ) {
         $this->_coreRegistry = $registry;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(Escaper::class);
         parent::__construct($context, $data);
     }
 
@@ -66,14 +79,17 @@ protected function _prepareLayout()
         );
 
         if ($this->getDesignChangeId()) {
+            $confirmMessage = $this->escaper->escapeJs(
+                $this->escaper->escapeHtml(__('Are you sure?'))
+            );
+            $deleteOnClick = 'deleteConfirm(\'' . $confirmMessage . '\', \'' .
+                $this->getDeleteUrl() . '\', {data: {}})';
             $this->getToolbar()->addChild(
                 'delete_button',
                 \Magento\Backend\Block\Widget\Button::class,
                 [
                     'label' => __('Delete'),
-                    'onclick' => 'deleteConfirm(\'' . __(
-                        'Are you sure?'
-                    ) . '\', \'' . $this->getDeleteUrl() . '\', {data: {}})',
+                    'onclick' => $deleteOnClick,
                     'class' => 'delete'
                 ]
             );

app/code/Magento/Backend/Block/Widget/Form/Container.php

@@ -1,6 +1,6 @@
 <?php
 /**
- * Copyright 2013 Adobe
+ * Copyright 2011 Adobe
  * All Rights Reserved.
  */
 namespace Magento\Backend\Block\Widget\Form;
@@ -13,7 +13,8 @@
  * Backend form container block
  *
  * @api
- * @deprecated 100.2.0 in favour of UI component implementation
+ * @deprecated 100.2.0 Use UI components for form rendering instead of this legacy form container
+ * @see \Magento\Ui\Component\Form
  * @SuppressWarnings(PHPMD.NumberOfChildren)
  * @since 100.0.2
  */
@@ -45,14 +46,14 @@ class Container extends \Magento\Backend\Block\Widget\Container
     protected $_blockGroup = 'Magento_Backend';
 
     /**
-     *  @var string
+     * @var string
      */
-    const PARAM_BLOCK_GROUP = 'block_group';
+    public const PARAM_BLOCK_GROUP = 'block_group';
 
     /**
-     *  @var string
+     * @var string
      */
-    const PARAM_MODE = 'mode';
+    public const PARAM_MODE = 'mode';
 
     /**
      * @var string
@@ -111,14 +112,17 @@ protected function _construct()
         $objId = (int)$this->getRequest()->getParam($this->_objectId);
 
         if (!empty($objId)) {
+            $confirmMessage = $this->escapeJs(
+                $this->escapeHtml(__('Are you sure you want to do this?'))
+            );
+            $deleteOnClick = 'deleteConfirm(\'' . $confirmMessage . '\', \'' .
+                $this->getDeleteUrl() . '\', {data: {}})';
             $this->addButton(
                 'delete',
                 [
                     'label' => __('Delete'),
                     'class' => 'delete',
-                    'onclick' => 'deleteConfirm(\'' . __(
-                        'Are you sure you want to do this?'
-                    ) . '\', \'' . $this->getDeleteUrl() . '\', {data: {}})'
+                    'onclick' => $deleteOnClick
                 ]
             );
         }

app/code/Magento/Catalog/Block/Adminhtml/Category/Edit/DeleteButton.php

@@ -7,12 +7,37 @@
 
 use Magento\Framework\View\Element\UiComponent\Control\ButtonProviderInterface;
 use Magento\Catalog\Block\Adminhtml\Category\AbstractCategory;
+use Magento\Framework\Escaper;
 
-/**
- * Class DeleteButton
- */
 class DeleteButton extends AbstractCategory implements ButtonProviderInterface
 {
+    /**
+     * Escaper for secure output rendering
+     *
+     * @var Escaper
+     */
+    private $escaper;
+
+    /**
+     * Constructor
+     *
+     * @param \Magento\Backend\Block\Template\Context $context
+     * @param \Magento\Catalog\Model\ResourceModel\Category\Tree $categoryTree
+     * @param \Magento\Framework\Registry $registry
+     * @param \Magento\Catalog\Model\CategoryFactory $categoryFactory
+     * @param array $data
+     */
+    public function __construct(
+        \Magento\Backend\Block\Template\Context $context,
+        \Magento\Catalog\Model\ResourceModel\Category\Tree $categoryTree,
+        \Magento\Framework\Registry $registry,
+        \Magento\Catalog\Model\CategoryFactory $categoryFactory,
+        array $data = []
+    ) {
+        $this->escaper = $context->getEscaper();
+        parent::__construct($context, $categoryTree, $registry, $categoryFactory, $data);
+    }
+
     /**
      * Delete button
      *
@@ -24,11 +49,13 @@ public function getButtonData()
         $categoryId = (int)$category->getId();
 
         if ($categoryId && !in_array($categoryId, $this->getRootIds()) && $category->isDeleteable()) {
+            $confirmMessage = $this->escaper->escapeJs(
+                $this->escaper->escapeHtml(__('Are you sure you want to delete this category?'))
+            );
             return [
                 'id' => 'delete',
                 'label' => __('Delete'),
-                'on_click' => "deleteConfirm('" .__('Are you sure you want to delete this category?') ."', '"
-                    . $this->getDeleteUrl() . "', {data: {}})",
+                'on_click' => "deleteConfirm('" . $confirmMessage . "', '" . $this->getDeleteUrl() . "', {data: {}})",
                 'class' => 'delete',
                 'sort_order' => 10
             ];
@@ -38,6 +65,8 @@ public function getButtonData()
     }
 
     /**
+     * Get the delete URL for category
+     *
      * @param array $args
      * @return string
      */
@@ -48,6 +77,8 @@ public function getDeleteUrl(array $args = [])
     }
 
     /**
+     * Get default URL parameters
+     *
      * @return array
      */
     protected function getDefaultUrlParams()

app/code/Magento/Catalog/Controller/Adminhtml/Product/Attribute/Save.php

@@ -273,7 +273,7 @@ public function execute()
                 $data['default_value'] = null;
             } elseif (isset($data['default'])) {
                 $defaultOptions = [];
-                foreach ($data['default'] as $defaultValue) {
+                foreach ((array)$data['default'] as $defaultValue) {
                     if ((int)$defaultValue > 0) {
                         $defaultOptions[] = $defaultValue;
                     }