Merge remote-tracking branch 'mainline/2.3-develop' into 2.3-develop-pr24

Author: serhii-balko

app/code/Magento/AdminNotification/Model/Feed.php

@@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param \Magento\Framework\Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +96,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
+            \Magento\Framework\Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +263,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/Backend/view/adminhtml/templates/admin/access_denied.phtml

@@ -3,14 +3,13 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <?php
 /**
  * @see \Magento\Backend\Block\Denied
  */
+
+// phpcs:disable Magento2.Security.Superglobal
 ?>
 <hr class="access-denied-hr"/>
 <div class="access-denied-page">
@@ -21,10 +20,10 @@
         <li><span><?= $block->escapeHtml(__('Contact a system administrator or store owner to gain permissions.')) ?></span></li>
         <li>
             <span><?= $block->escapeHtml(__('Return to ')) ?>
-                <?php if(isset($_SERVER['HTTP_REFERER'])): ?>
+                <?php if (isset($_SERVER['HTTP_REFERER'])) : ?>
                     <a href="<?= $block->escapeUrl(__($_SERVER['HTTP_REFERER'])) ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
-                <?php else: ?>
+                <?php else : ?>
                     <a href="<?= $block->escapeHtmlAttr(__('javascript:history.back()')) ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
                 <?php endif ?>

app/code/Magento/Backend/view/adminhtml/templates/admin/formkey.phtml

@@ -4,4 +4,4 @@
  * See COPYING.txt for license details.
  */
 ?>
-<div><input name="form_key" type="hidden" value="<?= /* @escapeNotVerified */ $block->getFormKey() ?>" /></div>
+<div><input name="form_key" type="hidden" value="<?= $block->escapeHtmlAttr($block->getFormKey()) ?>" /></div>

app/code/Magento/Backend/view/adminhtml/templates/admin/login.phtml

@@ -4,19 +4,20 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/**
+ * @var \Magento\Framework\View\Element\AbstractBlock $block
+ */
 ?>
 
 <form method="post" action="" id="login-form" data-mage-init='{"form": {}, "validation": {}}' autocomplete="off">
     <fieldset class="admin__fieldset">
         <legend class="admin__legend">
-            <span><?= /* @escapeNotVerified */ __('Welcome, please sign in') ?></span>
+            <span><?= $block->escapeHtml(__('Welcome, please sign in')) ?></span>
         </legend><br/>
-        <input name="form_key" type="hidden" value="<?= /* @escapeNotVerified */ $block->getFormKey() ?>" />
+        <input name="form_key" type="hidden" value="<?= $block->escapeHtmlAttr($block->getFormKey()) ?>" />
         <div class="admin__field _required field-username">
             <label for="username" class="admin__field-label">
-                <span><?= /* @escapeNotVerified */ __('Username') ?></span>
+                <span><?= $block->escapeHtml(__('Username')) ?></span>
             </label>
             <div class="admin__field-control">
                 <input id="username"
@@ -26,14 +27,14 @@
                        autofocus
                        value=""
                        data-validate="{required:true}"
-                       placeholder="<?= /* @escapeNotVerified */ __('user name') ?>"
+                       placeholder="<?= $block->escapeHtmlAttr(__('user name')) ?>"
                        autocomplete="off"
                     />
             </div>
         </div>
         <div class="admin__field _required field-password">
             <label for="login" class="admin__field-label">
-                <span><?= /* @escapeNotVerified */ __('Password') ?></span>
+                <span><?= $block->escapeHtml(__('Password')) ?></span>
             </label>
             <div class="admin__field-control">
                 <input id="login"
@@ -42,7 +43,7 @@
                        name="login[password]"
                        data-validate="{required:true}"
                        value=""
-                       placeholder="<?= /* @escapeNotVerified */ __('password') ?>"
+                       placeholder="<?= $block->escapeHtmlAttr(__('password')) ?>"
                        autocomplete="off"
                     />
             </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/login_buttons.phtml

@@ -8,6 +8,6 @@
     <button
         <?php $block->getUiId(); ?>
         class="action-login action-primary">
-        <span><?= /* @escapeNotVerified */ __('Sign in') ?></span>
+        <span><?= $block->escapeHtml(__('Sign in')) ?></span>
     </button>
 </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/overlay_popup.phtml

@@ -3,15 +3,12 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <div class="wrapper-popup">
     <div class="middle" id="anchor-content">
         <div id="page:main-container">
-        <?php if ($block->getChildHtml('left')): ?>
-            <div class="columns <?= /* @escapeNotVerified */ $block->getContainerCssClass() ?>" id="page:container">
+        <?php if ($block->getChildHtml('left')) : ?>
+            <div class="columns <?= $block->escapeHtmlAttr($block->getContainerCssClass()) ?>" id="page:container">
                 <div id="page:left" class="side-col">
                     <?= $block->getChildHtml('left') ?>
                 </div>
@@ -24,13 +21,13 @@
                     </div>
                 </div>
             </div>
-      <?php else: ?>
+        <?php else : ?>
           <div id="messages" data-container-for="messages"><?= $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?></div>
           <?= $block->getChildHtml('content') ?>
-      <?php endif; ?>
+        <?php endif; ?>
          </div>
     </div>
-    <?php if ($block->getChildHtml('footer')): ?>
+    <?php if ($block->getChildHtml('footer')) : ?>
     <div class="footer">
         <?= $block->getChildHtml('footer') ?>
     </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/page.phtml

@@ -3,19 +3,16 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <?php /** @var $block \Magento\Backend\Block\Page */ ?>
 <!doctype html>
-<html lang="<?= /* @escapeNotVerified */ $block->getLang() ?>" class="no-js">
+<html lang="<?= $block->escapeHtmlAttr($block->getLang()) ?>" class="no-js">
 
 <head>
     <?= $block->getChildHtml('head') ?>
 </head>
 
-<body id="html-body"<?= $block->getBodyClass() ? ' class="' . $block->getBodyClass() . '"' : '' ?> data-container="body" data-mage-init='{"loaderAjax":{},"loader":{}}'>
+<body id="html-body" class="<?= $block->escapeHtmlAttr($block->getBodyClass()) ?>" data-container="body" data-mage-init='{"loaderAjax":{},"loader":{}}'>
     <div class="page-wrapper">
         <?= $block->getChildHtml('notification_window') ?>
         <?= $block->getChildHtml('global_notices') ?>
@@ -31,8 +28,8 @@
                 <?= $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
             </div>
             <?= $block->getChildHtml('page_main_actions') ?>
-            <?php if ($block->getChildHtml('left')): ?>
-                <div id="page:main-container" class="<?= /* @escapeNotVerified */ $block->getContainerCssClass() ?> col-2-left-layout">
+            <?php if ($block->getChildHtml('left')) : ?>
+                <div id="page:main-container" class="<?= $block->escapeHtmlAttr($block->getContainerCssClass()) ?> col-2-left-layout">
                     <div class="main-col" id="content">
                         <?= $block->getChildHtml('content') ?>
                     </div>
@@ -41,7 +38,7 @@
                         <?= $block->getChildHtml('left') ?>
                     </div>
                 </div>
-            <?php else: ?>
+            <?php else : ?>
                 <div id="page:main-container" class="col-1-layout">
                     <?= $block->getChildHtml('content') ?>
                 </div>

app/code/Magento/Backend/view/adminhtml/templates/dashboard/graph.phtml

@@ -3,33 +3,33 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <div class="dashboard-diagram">
     <div class="dashboard-diagram-switcher">
         <label for="order_<?= $block->getHtmlId() ?>_period"
-               class="label"><?= /* @escapeNotVerified */ __('Select Range:') ?></label>
+               class="label"><?= $block->escapeHtml(__('Select Range:')) ?></label>
         <select name="period" id="order_<?= $block->getHtmlId() ?>_period"
                 onchange="changeDiagramsPeriod(this);" class="admin__control-select">
-            <?php foreach ($this->helper('Magento\Backend\Helper\Dashboard\Data')->getDatePeriods() as $value => $label): ?>
-                <?php if (in_array($value, ['custom'])) {
+            <?php //phpcs:disable ?>
+            <?php foreach ($this->helper(\Magento\Backend\Helper\Dashboard\Data::class)->getDatePeriods() as $value => $label) : ?>
+                <?php
+                //phpcs:enable
+                if (in_array($value, ['custom'])) {
                     continue;
                 } ?>
-                <option value="<?= /* @escapeNotVerified */ $value ?>"
-                    <?php if ($block->getRequest()->getParam('period') == $value): ?> selected="selected"<?php endif; ?>
-                    ><?= /* @escapeNotVerified */ $label ?></option>
+                <option value="<?= /* @noEscape */ $value ?>"
+                    <?php if ($block->getRequest()->getParam('period') == $value) : ?> selected="selected"<?php endif; ?>
+                    ><?= $block->escapeHtml($label) ?></option>
             <?php endforeach; ?>
         </select>
     </div>
-    <?php if ($block->getCount()): ?>
+    <?php if ($block->getCount()) : ?>
     <div class="dashboard-diagram-image">
-        <img src="<?= /* @escapeNotVerified */ $block->getChartUrl(false) ?>" class="dashboard-diagram-chart" alt="Chart" title="Chart" />
+        <img src="<?= $block->escapeUrl($block->getChartUrl(false)) ?>" class="dashboard-diagram-chart" alt="Chart" title="Chart" />
     </div>
-    <?php else: ?>
+    <?php else : ?>
     <div class="dashboard-diagram-nodata">
-        <span><?= /* @escapeNotVerified */ __('No Data Found') ?></span>
+        <span><?= $block->escapeHtml(__('No Data Found')) ?></span>
     </div>
     <?php endif; ?>
 </div>

app/code/Magento/Backend/view/adminhtml/templates/dashboard/graph/disabled.phtml

@@ -3,9 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
 ?>
 <div class="dashboard-diagram-disabled">
-    <?= /* @escapeNotVerified */ __('Chart is disabled. To enable the chart, click <a href="%1">here</a>.', $block->getConfigUrl()) ?>
+    <?= /* @noEscape */ __('Chart is disabled. To enable the chart, click <a href="%1">here</a>.', $block->escapeUrl($block->getConfigUrl())) ?>
 </div>