MC-37922: Html tag <br> visible in message

Author: OlgaVasyltsun

app/code/Magento/ImportExport/Controller/Adminhtml/ImportResult.php

@@ -9,6 +9,8 @@
 use Magento\ImportExport\Model\Import\Entity\AbstractEntity;
 use Magento\ImportExport\Model\Import\ErrorProcessing\ProcessingErrorAggregatorInterface;
 use Magento\ImportExport\Model\History as ModelHistory;
+use Magento\Framework\Escaper;
+use Magento\Framework\App\ObjectManager;
 
 /**
  * Import controller
@@ -37,22 +39,31 @@ abstract class ImportResult extends Import
      */
     protected $reportHelper;
 
+    /**
+     * @var Escaper|null
+     */
+    protected $escaper;
+
     /**
      * @param \Magento\Backend\App\Action\Context $context
      * @param \Magento\ImportExport\Model\Report\ReportProcessorInterface $reportProcessor
      * @param \Magento\ImportExport\Model\History $historyModel
      * @param \Magento\ImportExport\Helper\Report $reportHelper
+     * @param Escaper|null $escaper
      */
     public function __construct(
         \Magento\Backend\App\Action\Context $context,
         \Magento\ImportExport\Model\Report\ReportProcessorInterface $reportProcessor,
         \Magento\ImportExport\Model\History $historyModel,
-        \Magento\ImportExport\Helper\Report $reportHelper
+        \Magento\ImportExport\Helper\Report $reportHelper,
+        Escaper $escaper = null
     ) {
         parent::__construct($context);
         $this->reportProcessor = $reportProcessor;
         $this->historyModel = $historyModel;
         $this->reportHelper = $reportHelper;
+        $this->escaper = $escaper
+            ?? ObjectManager::getInstance()->get(Escaper::class);
     }
 
     /**
@@ -69,22 +80,20 @@ protected function addErrorMessages(
         if ($errorAggregator->getErrorsCount()) {
             $message = '';
             $counter = 0;
-            $unescapedMessages = [];
+            $escapedMessages = [];
             foreach ($this->getErrorMessages($errorAggregator) as $error) {
-                $unescapedMessages[] = (++$counter) . '. ' . $error;
+                $escapedMessages[] = (++$counter) . '. ' . $this->escaper->escapeHtml($error);
                 if ($counter >= self::LIMIT_ERRORS_MESSAGE) {
                     break;
                 }
             }
-            foreach ($unescapedMessages as $unescapedMessage) {
-                $message .= $resultBlock->escapeHtml($unescapedMessage) . '<br>';
-            }
+            $message .= implode('<br>', $escapedMessages);
             if ($errorAggregator->hasFatalExceptions()) {
                 foreach ($this->getSystemExceptions($errorAggregator) as $error) {
-                    $message .= $error->getErrorMessage()
+                    $message .= $this->escaper->escapeHtml($error->getErrorMessage())
                         . ' <a href="#" onclick="$(this).next().show();$(this).hide();return false;">'
                         . __('Show more') . '</a><div style="display:none;">' . __('Additional data') . ': '
-                        . $error->getErrorDescription() . '</div>';
+                        . $this->escaper->escapeHtml($error->getErrorDescription()) . '</div>';
                 }
             }
             try {