Merge remote-tracking branch 'origin/MC-14826' into borg-qwerty-2.3

Author: nathanjosiah

app/code/Magento/Customer/etc/adminhtml/system.xml

@@ -280,6 +280,7 @@
                 </field>
                 <field id="html" translate="label" type="textarea" sortOrder="3" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>HTML</label>
+                    <comment>Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed</comment>
                 </field>
                 <field id="pdf" translate="label" type="textarea" sortOrder="4" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>PDF</label>

app/code/Magento/Customer/i18n/en_US.csv

@@ -500,6 +500,7 @@ Strong,Strong
 "Address Templates","Address Templates"
 "Online Customers Options","Online Customers Options"
 "Online Minutes Interval","Online Minutes Interval"
+"Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed","Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed"
 "Leave empty for default (15 minutes).","Leave empty for default (15 minutes)."
 "Customer Notification","Customer Notification"
 "Customer Grid","Customer Grid"

app/code/Magento/Customer/view/adminhtml/templates/tab/view/personal_info.phtml

@@ -13,6 +13,7 @@ $lastLoginDateStore = $block->getStoreLastLoginDate();
 
 $createDateAdmin = $block->getCreateDate();
 $createDateStore = $block->getStoreCreateDate();
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 <div class="fieldset-wrapper customer-information">
     <div class="fieldset-wrapper-title">
@@ -61,7 +62,7 @@ $createDateStore = $block->getStoreCreateDate();
     </table>
     <address>
         <strong><?= $block->escapeHtml(__('Default Billing Address')) ?></strong><br/>
-        <?= $block->getBillingAddressHtml() ?>
+        <?= $block->escapeHtml($block->getBillingAddressHtml(), $allowedAddressHtmlTags) ?>
     </address>
 
 </div>

app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml

@@ -26,6 +26,7 @@ $orderStoreDate = $block->formatDate(
 );
 
 $customerUrl = $block->getCustomerViewUrl();
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 
 <section class="admin__page-section order-view-account-information">
@@ -171,7 +172,7 @@ $customerUrl = $block->getCustomerViewUrl();
                 <span class="title"><?= $block->escapeHtml(__('Billing Address')) ?></span>
                 <div class="actions"><?= /* @noEscape */ $block->getAddressEditLink($order->getBillingAddress()); ?></div>
             </div>
-            <address class="admin__page-section-item-content"><?= /* @noEscape */ $block->getFormattedAddress($order->getBillingAddress()); ?></address>
+            <address class="admin__page-section-item-content"><?= $block->escapeHtml($block->getFormattedAddress($order->getBillingAddress()), $allowedAddressHtmlTags); ?></address>
         </div>
         <?php if (!$block->getOrder()->getIsVirtual()): ?>
             <div class="admin__page-section-item order-shipping-address">
@@ -180,7 +181,7 @@ $customerUrl = $block->getCustomerViewUrl();
                     <span class="title"><?= $block->escapeHtml(__('Shipping Address')) ?></span>
                     <div class="actions"><?= /* @noEscape */ $block->getAddressEditLink($order->getShippingAddress()); ?></div>
                 </div>
-                <address class="admin__page-section-item-content"><?= /* @noEscape */ $block->getFormattedAddress($order->getShippingAddress()); ?></address>
+                <address class="admin__page-section-item-content"><?= $block->escapeHtml($block->getFormattedAddress($order->getShippingAddress()), $allowedAddressHtmlTags); ?></address>
             </div>
         <?php endif; ?>
     </div>