MAGETWO-67496: Escape product name for Display Actual Price

pdohogne-magento · pdohogne-magento · commit 7faf0487a8bc · 2017-05-23T13:56:29.000-05:00
diff --git a/app/code/Magento/Msrp/view/base/templates/product/price/msrp.phtml b/app/code/Magento/Msrp/view/base/templates/product/price/msrp.phtml
@@ -56,7 +56,7 @@ if ($product->isSaleable()) {
         $data = ['addToCart' => [
             'origin'=> 'msrp',
             'popupId' => '#' . $popupId,
-            'productName' => $product->getName(),
+            'productName' => $block->escapeHtml($product->getName()),
             'productId' => $productId,
             'productIdInput' => 'input[type="hidden"][name="product"]',
             'realPrice' => $block->getRealPriceHtml(),
diff --git a/app/code/Magento/Msrp/view/frontend/templates/render/item/price_msrp_item.phtml b/app/code/Magento/Msrp/view/frontend/templates/render/item/price_msrp_item.phtml
@@ -38,7 +38,7 @@
         <a href="javascript:void(0);"
            id="<?php /* @escapeNotVerified */ echo($popupId);?>"
            data-mage-init='{"addToCart":{"popupId": "#<?php /* @escapeNotVerified */ echo($popupId);?>",
-                                         "productName": "<?php /* @escapeNotVerified */ echo $_product->getName() ?>",
+                                         "productName": "<?php /* @escapeNotVerified */ echo $block->escapeJs($block->escapeHtml($_product->getName())) ?>",
                                          "realPrice": <?php /* @escapeNotVerified */ echo $block->getRealPriceJs($_product) ?>,
                                          "msrpPrice": "<?php /* @escapeNotVerified */ echo $_msrpPrice ?>",
                                          "priceElementId":"<?php /* @escapeNotVerified */ echo $priceElementId ?>",
@@ -51,5 +51,5 @@
         </span>
     <?php endif; ?>
     <?php $helpLinkId = 'msrp-help-' . $_id . $block->getRandomString(20); ?>
-    <a href="javascript:void(0);" id="<?php /* @escapeNotVerified */ echo($helpLinkId);?>" data-mage-init='{"addToCart":{"helpLinkId": "#<?php /* @escapeNotVerified */ echo($helpLinkId);?>", "productName": "<?php /* @escapeNotVerified */ echo $_product->getName() ?>"}}' class="link tip"><?php /* @escapeNotVerified */ echo __("What's this?"); ?></a>
+    <a href="javascript:void(0);" id="<?php /* @escapeNotVerified */ echo($helpLinkId);?>" data-mage-init='{"addToCart":{"helpLinkId": "#<?php /* @escapeNotVerified */ echo($helpLinkId);?>", "productName": "<?php /* @escapeNotVerified */ echo $block->escapeJs($block->escapeHtml($_product->getName())) ?>"}}' class="link tip"><?php /* @escapeNotVerified */ echo __("What's this?"); ?></a>
 </div>
