Merge remote-tracking branch 'mainline/2.3-develop' into DEVOPS-2174

Author: slavvka

.htaccess

@@ -355,6 +355,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files auth.json>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

.htaccess.sample

@@ -332,6 +332,15 @@
             Require all denied
         </IfVersion>
     </Files>
+    <Files auth.json>
+        <IfVersion < 2.4>
+            order allow,deny
+            deny from all
+        </IfVersion>
+        <IfVersion >= 2.4>
+            Require all denied
+        </IfVersion>
+    </Files>
 
 # For 404s and 403s that aren't handled by the application, show plain 404 response
 ErrorDocument 404 /pub/errors/404.php

README.md

@@ -1,4 +1,5 @@
 [![Build Status](https://travis-ci.org/magento/magento2.svg?branch=2.3-develop)](https://travis-ci.org/magento/magento2)
+[![Open Source Helpers](https://www.codetriage.com/magento/magento2/badges/users.svg)](https://www.codetriage.com/magento/magento2)
 [![Gitter](https://badges.gitter.im/Join%20Chat.svg)](https://gitter.im/magento/magento2?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge)
 [![Crowdin](https://d322cqt584bo4o.cloudfront.net/magento-2/localized.png)](https://crowdin.com/project/magento-2)
 <h2>Welcome</h2>

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Date.php

@@ -127,7 +127,7 @@ public function getHtml()
 
     /**
      * @param string|null $index
-     * @return string
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -138,6 +138,11 @@ public function getEscapedValue($index = null)
                 $this->_localeDate->getDateFormat(\IntlDateFormatter::SHORT)
             );
         }
+
+        if (is_string($value)) {
+            return $this->escapeHtml($value);
+        }
+
         return $value;
     }
 

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/Datetime.php

@@ -140,8 +140,8 @@ public function getHtml()
     /**
      * Return escaped value for calendar
      *
-     * @param string $index
-     * @return string
+     * @param string|null $index
+     * @return array|string|int|float|null
      */
     public function getEscapedValue($index = null)
     {
@@ -150,6 +150,11 @@ public function getEscapedValue($index = null)
             if ($value instanceof \DateTimeInterface) {
                 return $this->_localeDate->formatDateTime($value);
             }
+
+            if (is_string($value)) {
+                return $this->escapeHtml($value);
+            }
+
             return $value;
         }
 

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DateTest.php

@@ -30,6 +30,12 @@ class DateTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -58,14 +64,26 @@ protected function setUp()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Date::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,16 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->model->getEscapedValue('from');
+    }
 }

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/DatetimeTest.php

@@ -30,6 +30,12 @@ class DatetimeTest extends \PHPUnit\Framework\TestCase
     /** @var \Magento\Framework\Stdlib\DateTime\TimezoneInterface|\PHPUnit_Framework_MockObject_MockObject */
     protected $localeDateMock;
 
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    private $escaperMock;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    private $contextMock;
+
     protected function setUp()
     {
         $this->mathRandomMock = $this->getMockBuilder(\Magento\Framework\Math\Random::class)
@@ -50,22 +56,34 @@ protected function setUp()
 
         $this->columnMock = $this->getMockBuilder(\Magento\Backend\Block\Widget\Grid\Column::class)
             ->disableOriginalConstructor()
-            ->setMethods(['getTimezone', 'getHtmlId', 'getId'])
+            ->setMethods(['getTimezone', 'getHtmlId', 'getId', 'getFilterTime'])
             ->getMock();
 
         $this->localeDateMock = $this->getMockBuilder(\Magento\Framework\Stdlib\DateTime\TimezoneInterface::class)
             ->disableOriginalConstructor()
             ->setMethods([])
             ->getMock();
 
+        $this->escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock = $this->getMockBuilder(\Magento\Backend\Block\Context::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->contextMock->expects($this->once())->method('getEscaper')->willReturn($this->escaperMock);
+        $this->contextMock->expects($this->once())->method('getLocaleDate')->willReturn($this->localeDateMock);
+
         $objectManagerHelper = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
         $this->model = $objectManagerHelper->getObject(
             \Magento\Backend\Block\Widget\Grid\Column\Filter\Datetime::class,
             [
                 'mathRandom' => $this->mathRandomMock,
                 'localeResolver' => $this->localeResolverMock,
                 'dateTimeFormatter' => $this->dateTimeFormatterMock,
-                'localeDate' => $this->localeDateMock
+                'localeDate' => $this->localeDateMock,
+                'context' => $this->contextMock,
             ]
         );
         $this->model->setColumn($this->columnMock);
@@ -98,4 +116,17 @@ public function testGetHtmlSuccessfulTimestamp()
         $this->assertContains('id="' . $uniqueHash . '_from" value="' . $yesterday->getTimestamp(), $output);
         $this->assertContains('id="' . $uniqueHash . '_to" value="' . $tomorrow->getTimestamp(), $output);
     }
+
+    public function testGetEscapedValueEscapeString()
+    {
+        $value = "\"><img src=x onerror=alert(2) />";
+        $array = [
+            'orig_from' => $value,
+            'from' => $value,
+        ];
+        $this->model->setValue($array);
+        $this->escaperMock->expects($this->once())->method('escapeHtml')->with($value);
+        $this->columnMock->expects($this->once())->method('getFilterTime')->willReturn(true);
+        $this->model->getEscapedValue('from');
+    }
 }

app/code/Magento/Backend/view/adminhtml/templates/page/report.phtml

@@ -8,5 +8,7 @@
 
 ?>
 <?php if ($block->getBugreportUrl()): ?>
-    <a class="link-report" href="<?= /* @escapeNotVerified */ $block->getBugreportUrl() ?>" id="footer_bug_tracking"><?= /* @escapeNotVerified */ __('Report an Issue') ?></a>
+    <a class="link-report" href="<?= /* @escapeNotVerified */ $block->getBugreportUrl() ?>" id="footer_bug_tracking" target="_blank">
+        <?= /* @escapeNotVerified */ __('Report an Issue') ?>
+    </a>
 <?php endif; ?>

app/code/Magento/Backup/Controller/Adminhtml/Index/Create.php

@@ -12,14 +12,14 @@
 class Create extends \Magento\Backup\Controller\Adminhtml\Index
 {
     /**
-     * Create backup action
+     * Create backup action.
      *
      * @return void|\Magento\Backend\App\Action
      * @SuppressWarnings(PHPMD.CyclomaticComplexity)
      */
     public function execute()
     {
-        if (!$this->getRequest()->isAjax()) {
+        if (!$this->isRequestAllowed()) {
             return $this->_redirect('*/*/index');
         }
 
@@ -106,4 +106,14 @@ public function execute()
 
         $this->getResponse()->representJson($response->toJson());
     }
+
+    /**
+     * Check if request is allowed.
+     *
+     * @return bool
+     */
+    private function isRequestAllowed()
+    {
+        return $this->getRequest()->isAjax() && $this->getRequest()->isPost();
+    }
 }