Merge remote-tracking branch 'origin/MAGETWO-72060' into 2.3-develop-pr4

Author: DianaRusin

app/code/Magento/Catalog/Block/Adminhtml/Product/Attribute/Set/Main.php

@@ -233,7 +233,7 @@ public function getGroupTreeJson()
         /* @var $node \Magento\Eav\Model\Entity\Attribute\Group */
         foreach ($groups as $node) {
             $item = [];
-            $item['text'] = $node->getAttributeGroupName();
+            $item['text'] = $this->escapeHtml($node->getAttributeGroupName());
             $item['id'] = $node->getAttributeGroupId();
             $item['cls'] = 'folder';
             $item['allowDrop'] = true;
@@ -280,7 +280,7 @@ public function getAttributeTreeJson()
 
         foreach ($attributes as $child) {
             $attr = [
-                'text' => $child->getAttributeCode(),
+                'text' => $this->escapeHtml($child->getAttributeCode()),
                 'id' => $child->getAttributeId(),
                 'cls' => 'leaf',
                 'allowDrop' => false,

app/code/Magento/Catalog/view/adminhtml/templates/catalog/product/attribute/set/main.phtml

@@ -315,7 +315,7 @@
                         },
 
                         validateGroupName : function(name, exceptNodeId) {
-                            name = name.strip();
+                            name = name.strip().escapeHTML();
                             var result = true;
                             if (name === '') {
                                 result = false;