Merge remote-tracking branch 'upstream/2.3-develop' into feature/braintree-payment

Author: pmclain

.github/CONTRIBUTING.md

@@ -1,18 +1,23 @@
 # Contributing to Magento 2 code
 
 Contributions to the Magento 2 codebase are done using the fork & pull model.
-This contribution model has contributors maintaining their own copy of the forked codebase (which can easily be synced with the main copy). The forked repository is then used to submit a request to the base repository to “pull” a set of changes. For more information on pull requests please refer to [GitHub Help](https://help.github.com/articles/about-pull-requests/).
+This contribution model has contributors maintaining their own fork of the Magento 2 repository.
+The forked repository is then used to submit a request to the base repository to “pull” a set of changes.
+For more information on pull requests please refer to [GitHub Help](https://help.github.com/articles/about-pull-requests/).
 
 Contributions can take the form of new components or features, changes to existing features, tests, documentation (such as developer guides, user guides, examples, or specifications), bug fixes or optimizations.
 
-The Magento 2 development team will review all issues and contributions submitted by the community of developers in the first in, first out order. During the review we might require clarifications from the contributor. If there is no response from the contributor within two weeks, the pull request will be closed.
+The Magento 2 development team or community maintainers will review all issues and contributions submitted by the community of developers in the first in, first out order.
+During the review we might require clarifications from the contributor.
+If there is no response from the contributor within two weeks, the pull request will be closed.
 
+For more detialed information on contribution please read our [beginners guide](https://github.com/magento/magento2/wiki/Getting-Started).
 
 ## Contribution requirements
 
-1. Contributions must adhere to the [Magento coding standards](https://devdocs.magento.com/guides/v2.2/coding-standards/bk-coding-standards.html).
+1. Contributions must adhere to the [Magento coding standards](https://devdocs.magento.com/guides/v2.3/coding-standards/bk-coding-standards.html).
 2. Pull requests (PRs) must be accompanied by a meaningful description of their purpose. Comprehensive descriptions increase the chances of a pull request being merged quickly and without additional clarification requests.
-3. Commits must be accompanied by meaningful commit messages. Please see the [Magento Pull Request Template](https://github.com/magento/magento2/blob/2.2-develop/.github/PULL_REQUEST_TEMPLATE.md) for more information.
+3. Commits must be accompanied by meaningful commit messages. Please see the [Magento Pull Request Template](https://github.com/magento/magento2/blob/2.3-develop/.github/PULL_REQUEST_TEMPLATE.md) for more information.
 4. PRs which include bug fixes must be accompanied with a step-by-step description of how to reproduce the bug.
 3. PRs which include new logic or new features must be submitted along with:
 * Unit/integration test coverage
@@ -22,15 +27,22 @@ The Magento 2 development team will review all issues and contributions submitte
 
 ## Contribution process
 
-If you are a new GitHub user, we recommend that you create your own [free github account](https://github.com/signup/free). This will allow you to collaborate with the Magento 2 development team, fork the Magento 2 project and send pull requests.
+If you are a new GitHub user, we recommend that you create your own [free github account](https://github.com/signup/free).
+This will allow you to collaborate with the Magento 2 development team, fork the Magento 2 project and send pull requests.
 
 1. Search current [listed issues](https://github.com/magento/magento2/issues) (open or closed) for similar proposals of intended contribution before starting work on a new contribution.
 2. Review the [Contributor License Agreement](https://magento.com/legaldocuments/mca) if this is your first time contributing.
 3. Create and test your work.
-4. Fork the Magento 2 repository according to the [Fork A Repository instructions](https://devdocs.magento.com/guides/v2.2/contributor-guide/contributing.html#fork) and when you are ready to send us a pull request – follow the [Create A Pull Request instructions](https://devdocs.magento.com/guides/v2.2/contributor-guide/contributing.html#pull_request).
+4. Fork the Magento 2 repository according to the [Fork A Repository instructions](https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#fork) and when you are ready to send us a pull request – follow the [Create A Pull Request instructions](https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#pull_request).
 5. Once your contribution is received the Magento 2 development team will review the contribution and collaborate with you as needed.
 
 ## Code of Conduct
 
 Please note that this project is released with a Contributor Code of Conduct. We expect you to agree to its terms when participating in this project.
 The full text is available in the repository [Wiki](https://github.com/magento/magento2/wiki/Magento-Code-of-Conduct).
+
+## Connecting with Community!
+
+If you have any questions, join us in [#beginners](https://magentocommeng.slack.com/messages/CH8BGFX9D) Slack chat. If you are not on our slack, [click here](http://tinyurl.com/engcom-slack) to join.
+
+Need to find a project? Check out the [Slack Channels](https://github.com/magento/magento2/wiki/Slack-Channels) (with listed project info) and the [Magento Community Portal](https://opensource.magento.com/).

.github/PULL_REQUEST_TEMPLATE.md

@@ -21,7 +21,6 @@
     There could be 1 or more issues linked here and it will help us find some more information about the reasoning behind this change.
 -->
 1. magento/magento2#<issue_number>: Issue title
-2. ...
 
 ### Manual testing scenarios (*)
 <!---
@@ -31,6 +30,12 @@
 1. ...
 2. ...
 
+### Questions or comments
+<!---
+	If relevant, here you can ask questions or provide comments on your pull request for the reviewer
+	For example if you need assistance with writing tests or would like some feedback on one of your development ideas
+-->
+
 ### Contribution checklist (*)
  - [ ] Pull request has a meaningful description of its purpose
  - [ ] All commits are accompanied by meaningful commit messages

SECURITY.md

@@ -0,0 +1,10 @@
+# Reporting Security Issues
+
+Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants. 
+
+## Where should I report security issues?
+
+We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento).  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at `psirt@adobe.com` with details and repro steps.  
+
+## Learning More About Security
+To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).

app/code/Magento/AdminNotification/Model/Feed.php

@@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param \Magento\Framework\Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +96,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
+            \Magento\Framework\Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +263,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml

@@ -4,10 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
-?>
-<?php
 /**
  * @see \Magento\AdminNotification\Block\Window
  */
@@ -19,11 +15,13 @@
             "autoOpen": true,
             "buttons": false,
             "modalClass": "modal-system-messages",
-            "title": "<?= /* @escapeNotVerified */ $block->getHeaderText() ?>"
+            "title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
         }
     }'>
     <li class="message message-warning warning">
-        <?= /* @escapeNotVerified */ $block->getNoticeMessageText() ?><br/>
-        <a href="<?= /* @escapeNotVerified */ $block->getNoticeMessageUrl() ?>"><?= /* @escapeNotVerified */ $block->getReadDetailsText() ?></a>
+        <?= $block->escapeHtml($block->getNoticeMessageText()) ?><br/>
+        <a href="<?= $block->escapeUrl($block->getNoticeMessageUrl()) ?>">
+            <?= $block->escapeHtml($block->getReadDetailsText()) ?>
+        </a>
     </li>
 </ul>

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml

@@ -4,41 +4,41 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages */ ?>
 
 <?php $lastCritical = $block->getLastCritical();?>
-<div id="system_messages" class="message-system<?php if ($lastCritical): ?> message-system-unread<?php endif; ?>">
+<div id="system_messages"
+     class="message-system<?php if ($lastCritical) : ?>
+     message-system-unread<?php endif; ?>">
     <div class="message-system-inner">
-        <?php if ($lastCritical): ?>
+        <?php if ($lastCritical) : ?>
             <ul class="message-system-list">
                 <li class="message message-warning error">
-                    <?= /* @escapeNotVerified */ $lastCritical->getText() ?>
+                    <?= $block->escapeHtml($lastCritical->getText()) ?>
                 </li>
             </ul>
         <?php endif; ?>
         <div class="message-system-short">
             <span class="message-system-short-label">
-                <?= /* @escapeNotVerified */ __('System Messages:') ?>
+                <?= $block->escapeHtml(__('System Messages:')) ?>
             </span>
 
-            <?php if ($block->getCriticalCount()): ?>
+            <?php if ($block->getCriticalCount()) : ?>
                 <div class="message message-warning error">
                     <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Critical System Messages')) ?>">
-                        <?= /* @escapeNotVerified */ $block->getCriticalCount() ?>
+                        <?= (int) $block->getCriticalCount() ?>
                     </a>
                 </div>
-            <?php endif;?>
+            <?php endif; ?>
 
-            <?php if ($block->getMajorCount()): ?>
+            <?php if ($block->getMajorCount()) : ?>
                <div class="message message-warning warning">
                    <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
-                       <?= /* @escapeNotVerified */ $block->getMajorCount() ?>
+                       <?= (int) $block->getMajorCount() ?>
                    </a>
                </div>
-            <?php endif;?>
+            <?php endif; ?>
         </div>
         <div id="message-system-all" title="<?= $block->escapeHtml(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtml($block->getSystemMessageDialogJson()) ?>'></div>
     </div>

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml

@@ -4,16 +4,15 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */ ?>
 
-<div style="display:none" id="system_messages_list" data-role="system_messages_list" title="<?= $block->escapeHtml($block->getPopupTitle()) ?>">
+<div style="display:none" id="system_messages_list" data-role="system_messages_list"
+     title="<?= $block->escapeHtmlAttr($block->getPopupTitle()) ?>">
     <ul class="message-system-list messages">
-        <?php foreach ($block->getUnreadMessages() as $message): ?>
-            <li class="message message-warning <?= /* @escapeNotVerified */ $block->getItemClass($message) ?>">
-                <?= /* @escapeNotVerified */ $message->getText() ?>
+        <?php foreach ($block->getUnreadMessages() as $message) : ?>
+            <li class="message message-warning <?= $block->escapeHtmlAttr($block->getItemClass($message)) ?>">
+                <?= $block->escapeHtml($message->getText()) ?>
             </li>
         <?php endforeach;?>
     </ul>
@@ -27,4 +26,4 @@
             }
         }
     }
-</script>
+</script>