Merge branch 'develop' of https://github.com/magento/magento2ce into MAGETWO-56240

Author: shiftedreality

app/code/Magento/Bundle/Helper/Catalog/Product/Configuration.php

@@ -142,6 +142,7 @@ public function getBundleOptions(ItemInterface $item)
                                     . $this->pricingHelper->currency(
                                         $this->getSelectionFinalPrice($item, $bundleSelection)
                                     );
+                                $option['has_html'] = true;
                             }
                         }
 

app/code/Magento/Bundle/Test/Unit/Helper/Catalog/Product/ConfigurationTest.php

@@ -164,6 +164,9 @@ public function testGetBundleOptionsEmptyBundleSelectionIds()
         $this->assertEquals([], $this->helper->getBundleOptions($this->item));
     }
 
+    /**
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
+     */
     public function testGetOptions()
     {
         $optionIds = 'a:1:{i:0;i:1;}';
@@ -254,8 +257,12 @@ public function testGetOptions()
 
         $this->assertEquals(
             [
-                0 => ['label' => 'title', 'value' => [0 => '1 x name <span class="price">$15.00</span>']],
-                1 => ['label' => 'title', 'value' => 'value'],
+                [
+                    'label' => 'title',
+                    'value' => ['1 x name <span class="price">$15.00</span>'],
+                    'has_html' => true,
+                ],
+                ['label' => 'title', 'value' => 'value'],
             ],
             $this->helper->getOptions($this->item)
         );

app/code/Magento/Captcha/view/adminhtml/templates/default.phtml

@@ -19,7 +19,7 @@
             id="captcha"
             class="admin__control-text"
             type="text"
-            name="<?php /* @escapeNotVerified */ echo \Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE ?>[<?php /* @escapeNotVerified */ echo $block->getFormId()?>]"
+            name="<?php echo $block->escapeHtmlAttr(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE) ?>[<?php echo $block->escapeHtml($block->getFormId())?>]"
             data-validate="{required:true}"/>
         <?php if ($captcha->isCaseSensitive()) :?>
             <div class="admin__field-note">
@@ -32,19 +32,19 @@
     <img
         id="captcha-reload"
         class="captcha-reload"
-        src="<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('Magento_Captcha::reload.png') ?>"
+        src="<?php echo $block->escapeUrl($block->getViewFileUrl('Magento_Captcha::reload.png')) ?>"
         alt="<?php /* @escapeNotVerified */ echo __('Reload captcha') ?>"/>
     <img
-        id="<?php /* @escapeNotVerified */ echo $block->getFormId() ?>"
-        width="<?php /* @escapeNotVerified */ echo $block->getImgWidth() ?>"
-        height="<?php /* @escapeNotVerified */ echo $block->getImgHeight() ?>"
-        src="<?php /* @escapeNotVerified */ echo $captcha->getImgSrc() ?>" />
+        id="<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>"
+        width="<?php /* @noEscape */ echo (float) $block->getImgWidth() ?>"
+        height="<?php /* @noEscape */ echo (float) $block->getImgHeight() ?>"
+        src="<?php echo $block->escapeUrl($captcha->getImgSrc()) ?>" />
 </div>
 <script>
     require(["prototype", "mage/captcha"], function(){
 
 //<![CDATA[
-        var captcha = new Captcha('<?php /* @escapeNotVerified */ echo $block->getRefreshUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getFormId() ?>');
+        var captcha = new Captcha('<?php echo $block->escapeUrl($block->getRefreshUrl()) ?>', '<?php echo $block->escapeJs($block->getFormId()) ?>');
 
         $('captcha-reload').observe('click', function () {
             captcha.refresh(this);

app/code/Magento/Captcha/view/frontend/templates/default.phtml

@@ -10,19 +10,19 @@
 <?php /* @var $captcha \Magento\Captcha\Model\DefaultModel */ ?>
 <?php /* @var $block \Magento\Captcha\Block\Captcha\DefaultCaptcha */ ?>
 <?php $captcha = $block->getCaptchaModel() ?>
-<div class="field captcha required" role="<?php /* @escapeNotVerified */ echo $block->getFormId()?>">
-    <label for="captcha_<?php /* @escapeNotVerified */ echo $block->getFormId() ?>" class="label"><span><?php /* @escapeNotVerified */ echo __('Please type the letters below')?></span></label>
+<div class="field captcha required" role="<?php echo $block->escapeHtmlAttr($block->getFormId())?>">
+    <label for="captcha_<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>" class="label"><span><?php /* @escapeNotVerified */ echo __('Please type the letters below')?></span></label>
     <div class="control captcha">
-        <input name="<?php /* @escapeNotVerified */ echo \Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE ?>[<?php /* @escapeNotVerified */ echo $block->getFormId()?>]" type="text" class="input-text required-entry" data-validate="{required:true}" id="captcha_<?php /* @escapeNotVerified */ echo $block->getFormId() ?>" />
+        <input name="<?php echo $block->escapeHtmlAttr(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE) ?>[<?php echo $block->escapeHtmlAttr($block->getFormId())?>]" type="text" class="input-text required-entry" data-validate="{required:true}" id="captcha_<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>" />
         <div class="nested">
             <div class="field captcha no-label"
-                 data-captcha="<?php /* @escapeNotVerified */ echo $block->getFormId()?>"
-                 id="captcha-container-<?php /* @escapeNotVerified */ echo $block->getFormId()?>"
-                 data-mage-init='{"captcha":{"url": "<?php /* @escapeNotVerified */ echo $block->getRefreshUrl()?>",
-                                            "imageLoader": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('images/loader-2.gif') ?>",
-                                             "type": "<?php /* @escapeNotVerified */ echo $block->getFormId() ?>"}}'>
+                 data-captcha="<?php echo $block->escapeHtmlAttr($block->getFormId())?>"
+                 id="captcha-container-<?php echo $block->escapeHtmlAttr($block->getFormId())?>"
+                 data-mage-init='{"captcha":{"url": "<?php echo $block->escapeUrl($block->getRefreshUrl())?>",
+                                            "imageLoader": "<?php echo $block->escapeUrl($block->getViewFileUrl('images/loader-2.gif')) ?>",
+                                             "type": "<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>"}}'>
                 <div class="control captcha-image">
-                    <img alt="<?php /* @escapeNotVerified */ echo __('Please type the letters below')?>" class="captcha-img" height="<?php /* @escapeNotVerified */ echo $block->getImgHeight() ?>" src="<?php /* @escapeNotVerified */ echo $captcha->getImgSrc() ?>"/>
+                    <img alt="<?php /* @escapeNotVerified */ echo __('Please type the letters below')?>" class="captcha-img" height="<?php /* @noEscape */ echo (float) $block->getImgHeight() ?>" src="<?php echo $block->escapeUrl($captcha->getImgSrc()) ?>"/>
                     <button type="button" class="action reload captcha-reload" title="<?php /* @escapeNotVerified */ echo __('Reload captcha') ?>"><span><?php /* @escapeNotVerified */ echo __('Reload captcha') ?></span></button>
                 </div>
             </div>

app/code/Magento/Catalog/Block/Adminhtml/Category/Widget/Chooser.php

@@ -121,7 +121,7 @@ function (node, e) {
                 }
             ';
         } else {
-            $chooserJsObject = $this->getId();
+            $chooserJsObject = $this->escapeJs($this->getId());
             $js = '
                 function (node, e) {
                     ' .

app/code/Magento/Catalog/Block/Adminhtml/Product/Widget/Chooser.php

@@ -202,7 +202,7 @@ function (node, e) {
                 {jsObject}.categoryName = node.attributes.id != "none" ? node.text : false;
             }
         ';
-        $js = str_replace('{jsObject}', $this->getJsObjectName(), $js);
+        $js = str_replace('{jsObject}', $this->escapeJs($this->getJsObjectName()), $js);
         return $js;
     }
 

app/code/Magento/Catalog/Model/ResourceModel/Product/Indexer/LinkedProductSelectBuilderByIndexPrice.php

@@ -56,15 +56,16 @@ public function __construct(
     public function build($productId)
     {
         $linkField = $this->metadataPool->getMetadata(ProductInterface::class)->getLinkField();
+        $productTable = $this->resource->getTableName('catalog_product_entity');
 
         return [$this->resource->getConnection()->select()
-            ->from(['parent' => 'catalog_product_entity'], '')
+            ->from(['parent' => $productTable], '')
             ->joinInner(
                 ['link' => $this->resource->getTableName('catalog_product_relation')],
                 "link.parent_id = parent.$linkField",
                 []
             )->joinInner(
-                ['child' => 'catalog_product_entity'],
+                ['child' => $productTable],
                 "child.entity_id = link.child_id",
                 ['entity_id']
             )->joinInner(

app/code/Magento/Catalog/Model/ResourceModel/Product/LinkedProductSelectBuilderByBasePrice.php

@@ -65,14 +65,16 @@ public function build($productId)
     {
         $linkField = $this->metadataPool->getMetadata(ProductInterface::class)->getLinkField();
         $priceAttribute = $this->eavConfig->getAttribute(Product::ENTITY, 'price');
+        $productTable = $this->resource->getTableName('catalog_product_entity');
+
         $priceSelect = $this->resource->getConnection()->select()
-            ->from(['parent' => 'catalog_product_entity'], '')
+            ->from(['parent' => $productTable], '')
             ->joinInner(
                 ['link' => $this->resource->getTableName('catalog_product_relation')],
                 "link.parent_id = parent.$linkField",
                 []
             )->joinInner(
-                ['child' => 'catalog_product_entity'],
+                ['child' => $productTable],
                 "child.entity_id = link.child_id",
                 ['entity_id']
             )->joinInner(

app/code/Magento/Catalog/Model/ResourceModel/Product/LinkedProductSelectBuilderBySpecialPrice.php

@@ -86,15 +86,16 @@ public function build($productId)
         $specialPriceToDate = $this->eavConfig->getAttribute(Product::ENTITY, 'special_to_date');
         $timestamp = $this->localeDate->scopeTimeStamp($this->storeManager->getStore());
         $currentDate = $this->dateTime->formatDate($timestamp, false);
+        $productTable = $this->resource->getTableName('catalog_product_entity');
 
         $specialPrice = $this->resource->getConnection()->select()
-            ->from(['parent' => 'catalog_product_entity'], '')
+            ->from(['parent' => $productTable], '')
             ->joinInner(
                 ['link' => $this->resource->getTableName('catalog_product_relation')],
                 "link.parent_id = parent.$linkField",
                 []
             )->joinInner(
-                ['child' => 'catalog_product_entity'],
+                ['child' => $productTable],
                 "child.entity_id = link.child_id",
                 ['entity_id']
             )->joinInner(

app/code/Magento/Catalog/Model/ResourceModel/Product/LinkedProductSelectBuilderByTierPrice.php

@@ -68,14 +68,16 @@ public function __construct(
     public function build($productId)
     {
         $linkField = $this->metadataPool->getMetadata(ProductInterface::class)->getLinkField();
+        $productTable = $this->resource->getTableName('catalog_product_entity');
+
         $priceSelect = $this->resource->getConnection()->select()
-            ->from(['parent' => 'catalog_product_entity'], '')
+            ->from(['parent' => $productTable], '')
             ->joinInner(
                 ['link' => $this->resource->getTableName('catalog_product_relation')],
                 "link.parent_id = parent.$linkField",
                 []
             )->joinInner(
-                ['child' => 'catalog_product_entity'],
+                ['child' => $productTable],
                 "child.entity_id = link.child_id",
                 ['entity_id']
             )->joinInner(