MAGETWO-96759: Fixed incorrect displaying of the sales rule conditions

Author: viktorpetryk

app/code/Magento/Rule/Block/Editable.php

@@ -9,6 +9,8 @@
 use Magento\Framework\View\Element\AbstractBlock;
 
 /**
+ * Renderer for Editable sales rules.
+ *
  * @api
  * @since 100.0.2
  */
@@ -52,9 +54,9 @@ public function render(\Magento\Framework\Data\Form\Element\AbstractElement $ele
 
         if ($element->getShowAsText()) {
             $html = ' <input type="hidden" class="hidden" id="' .
-                $element->getHtmlId() .
+                $this->escapeHtmlAttr($element->getHtmlId()) .
                 '" name="' .
-                $element->getName() .
+                $this->escapeHtmlAttr($element->getName()) .
                 '" value="' .
                 $element->getValue() .
                 '" data-form-part="' .

lib/internal/Magento/Framework/Data/Form/Element/AbstractElement.php

@@ -170,7 +170,11 @@ public function setId($id)
      */
     public function getHtmlId()
     {
-        return $this->getForm()->getHtmlIdPrefix() . $this->getData('html_id') . $this->getForm()->getHtmlIdSuffix();
+        return $this->_escaper->escapeHtml(
+            $this->getForm()->getHtmlIdPrefix() .
+            $this->getData('html_id') .
+            $this->getForm()->getHtmlIdSuffix()
+        );
     }
 
     /**
@@ -184,7 +188,7 @@ public function getName()
         if ($suffix = $this->getForm()->getFieldNameSuffix()) {
             $name = $this->getForm()->addSuffixToName($name, $suffix);
         }
-        return $name;
+        return $this->_escaper->escapeHtml($name);
     }
 
     /**