Skip to content

Commit 9938530

Browse files
author
Joan He
committed
2 parents 8fd1e17 + 4e514ea commit 9938530

File tree

20 files changed

+119
-120
lines changed

20 files changed

+119
-120
lines changed

app/code/Magento/Directory/Block/Currency.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ public function getSwitchUrl()
111111
*/
112112
public function getSwitchCurrencyPostData($code)
113113
{
114-
return $this->_postDataHelper->getPostData($this->getSwitchUrl(), ['currency' => $code]);
114+
return $this->_postDataHelper->getPostData($this->escapeUrl($this->getSwitchUrl()), ['currency' => $code]);
115115
}
116116

117117
/**

app/code/Magento/Directory/Test/Unit/Block/CurrencyTest.php

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -34,16 +34,25 @@ protected function setUp()
3434
);
3535
$this->urlBuilder->expects($this->any())->method('getUrl')->will($this->returnArgument(0));
3636

37-
/** @var \Magento\Framework\View\Element\Template\Context $context */
38-
$context = $this->getMock(
39-
\Magento\Framework\View\Element\Template\Context::class,
40-
['getUrlBuilder'],
41-
[],
42-
'',
43-
false
44-
);
37+
/** @var $context \Magento\Framework\View\Element\Template\Context|\PHPUnit_Framework_MockObject_MockObject */
38+
$context = $this->getMockBuilder(\Magento\Framework\View\Element\Template\Context::class)
39+
->disableOriginalConstructor()
40+
->getMock();
4541
$context->expects($this->any())->method('getUrlBuilder')->will($this->returnValue($this->urlBuilder));
4642

43+
$escaperMock = $this->getMockBuilder(\Magento\Framework\Escaper::class)
44+
->disableOriginalConstructor()
45+
->getMock();
46+
$escaperMock->method('escapeUrl')
47+
->willReturnCallback(
48+
function ($string) {
49+
return 'escapeUrl' . $string;
50+
}
51+
);
52+
$context->expects($this->once())
53+
->method('getEscaper')
54+
->willReturn($escaperMock);
55+
4756
/** @var \Magento\Directory\Model\CurrencyFactory $currencyFactory */
4857
$currencyFactory = $this->getMock(\Magento\Directory\Model\CurrencyFactory::class, [], [], '', false);
4958
$this->postDataHelper = $this->getMock(\Magento\Framework\Data\Helper\PostHelper::class, [], [], '', false);
@@ -63,7 +72,7 @@ public function testGetSwitchCurrencyPostData()
6372
{
6473
$expectedResult = 'post_data';
6574
$expectedCurrencyCode = 'test';
66-
$switchUrl = 'directory/currency/switch';
75+
$switchUrl = 'escapeUrldirectory/currency/switch';
6776

6877
$this->postDataHelper->expects($this->once())
6978
->method('getPostData')

app/code/Magento/Directory/view/adminhtml/templates/js/optional_zip_countries.phtml

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,12 @@
55
*/
66

77
// @codingStandardsIgnoreFile
8-
?>
9-
10-
<?php
118
/**
129
* JS block for including Countries with Optional Zip
1310
*
1411
* @see \Magento\Backend\Block\Template
1512
*/
13+
1614
?>
1715
<script>
1816
require([
@@ -21,7 +19,7 @@ require([
2119
], function(){
2220

2321
//<![CDATA[
24-
optionalZipCountries = <?php /* @escapeNotVerified */ echo $this->helper('Magento\Directory\Helper\Data')->getCountriesWithOptionalZip(true) ?>;
22+
optionalZipCountries = <?php /* @noEscape */ echo $this->helper('Magento\Directory\Helper\Data')->getCountriesWithOptionalZip(true) ?>;
2523

2624
function onAddressCountryChanged (countryElement) {
2725
var zipElementId = countryElement.id.replace(/country_id/, 'postcode');

app/code/Magento/Directory/view/frontend/templates/currency.phtml

Lines changed: 10 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -5,38 +5,36 @@
55
*/
66

77
// @codingStandardsIgnoreFile
8-
9-
?>
10-
<?php
118
/**
129
* Currency switcher
1310
*
14-
* @see \Magento\Directory\Block\Currency
11+
* @var \Magento\Directory\Block\Currency $block
1512
*/
13+
1614
?>
1715
<?php if ($block->getCurrencyCount() > 1): ?>
1816
<?php $currencies = $block->getCurrencies(); ?>
1917
<?php $currentCurrencyCode = $block->getCurrentCurrencyCode(); ?>
20-
<?php $id = $block->getIdModifier() ? '-' . $block->getIdModifier() : ''?>
21-
<div class="switcher currency switcher-currency" id="switcher-currency<?php /* @escapeNotVerified */ echo $id?>">
22-
<strong class="label switcher-label"><span><?php /* @escapeNotVerified */ echo __('Currency') ?></span></strong>
18+
<?php $id = $block->getIdModifier() ? '-' . $block->getIdModifier() : '' ?>
19+
<div class="switcher currency switcher-currency" id="switcher-currency<?php echo $block->escapeHtmlAttr($id) ?>">
20+
<strong class="label switcher-label"><span><?php echo $block->escapeHtml(__('Currency')) ?></span></strong>
2321
<div class="actions dropdown options switcher-options">
24-
<div class="action toggle switcher-trigger" id="switcher-currency-trigger<?php /* @escapeNotVerified */ echo $id?>">
22+
<div class="action toggle switcher-trigger" id="switcher-currency-trigger<?php echo $block->escapeHtmlAttr($id) ?>">
2523
<strong class="language-<?php echo $block->escapeHtml($block->getCurrentCurrencyCode()) ?>">
2624
<span><?php echo $block->escapeHtml($currentCurrencyCode) ?> - <?php echo @$block->escapeHtml($currencies[$currentCurrencyCode]) ?></span>
2725
</strong>
2826
</div>
2927
<ul class="dropdown switcher-dropdown" data-mage-init='{"dropdownDialog":{
30-
"appendTo":"#switcher-currency<?php /* @escapeNotVerified */ echo $id?> > .options",
31-
"triggerTarget":"#switcher-currency-trigger<?php /* @escapeNotVerified */ echo $id?>",
28+
"appendTo":"#switcher-currency<?php echo $block->escapeJs($id) ?> > .options",
29+
"triggerTarget":"#switcher-currency-trigger<?php echo $block->escapeJs($id) ?>",
3230
"closeOnMouseLeave": false,
3331
"triggerClass":"active",
3432
"parentClass":"active",
3533
"buttons":null}}'>
3634
<?php foreach ($currencies as $_code => $_name): ?>
3735
<?php if ($_code != $currentCurrencyCode): ?>
38-
<li class="currency-<?php /* @escapeNotVerified */ echo $_code ?> switcher-option">
39-
<a href="#" data-post='<?php /* @escapeNotVerified */ echo $block->getSwitchCurrencyPostData($_code); ?>'><?php /* @escapeNotVerified */ echo $_code ?> - <?php /* @escapeNotVerified */ echo $_name ?></a>
36+
<li class="currency-<?php echo $block->escapeHtmlAttr($_code) ?> switcher-option">
37+
<a href="#" data-post='<?php /* @noEscape */ echo $block->getSwitchCurrencyPostData($_code); ?>'><?php echo $block->escapeHtml($_code) ?> - <?php echo $block->escapeHtml($_name) ?></a>
4038
</li>
4139
<?php endif; ?>
4240
<?php endforeach; ?>

app/code/Magento/Directory/view/frontend/templates/currency/switch.phtml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@
66

77
// @codingStandardsIgnoreFile
88

9+
/** @var \Magento\Framework\View\Element\Template $block */
10+
911
?>
10-
<p><?php /* @escapeNotVerified */ echo __('Your current currency is: %1.', $currency->getCode()) ?></p>
11-
<p><a href="<?php /* @escapeNotVerified */ echo $block->getBaseUrl(); ?>" class="action continue"><span><?php /* @escapeNotVerified */ echo __('Continue') ?></span></a></p>
12+
<p><?php echo $block->escapeHtml(__('Your current currency is: %1.', $currency->getCode())) ?></p>
13+
<p><a href="<?php echo $block->escapeUrl($block->getBaseUrl()); ?>" class="action continue"><span><?php echo $block->escapeHtml(__('Continue')) ?></span></a></p>

app/code/Magento/Email/view/adminhtml/templates/template/edit.phtml

Lines changed: 20 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -11,20 +11,20 @@ use Magento\Framework\App\TemplateTypesInterface;
1111
/** @var $block \Magento\Email\Block\Adminhtml\Template\Edit */
1212
?>
1313
<?php if (!$block->getEditMode()): ?>
14-
<form action="<?php /* @escapeNotVerified */ echo $block->getLoadUrl() ?>" method="post" id="email_template_load_form">
14+
<form action="<?php echo $block->escapeUrl($block->getLoadUrl()) ?>" method="post" id="email_template_load_form">
1515
<?php echo $block->getBlockHtml('formkey')?>
1616
<fieldset class="admin__fieldset form-inline">
17-
<legend class="admin__legend"><span><?php /* @escapeNotVerified */ echo __('Load default template') ?></span></legend><br>
17+
<legend class="admin__legend"><span><?php echo $block->escapeHtml(__('Load default template')) ?></span></legend><br>
1818
<div class="admin__field">
19-
<label class="admin__field-label" for="template_select"><?php /* @escapeNotVerified */ echo __('Template') ?></label>
19+
<label class="admin__field-label" for="template_select"><?php echo $block->escapeHtml(__('Template')) ?></label>
2020
<div class="admin__field-control">
2121
<select id="template_select" name="code" class="admin__control-select required-entry">
2222
<?php foreach ($block->getTemplateOptions() as $group => $options): ?>
2323
<?php if ($group): ?>
24-
<optgroup label="<?php echo $block->escapeHtml($group) ?>">
24+
<optgroup label="<?php echo $block->escapeHtmlAttr($group) ?>">
2525
<?php endif; ?>
2626
<?php foreach ($options as $option): ?>
27-
<option value="<?php echo $block->escapeHtml($option['value']) ?>"<?php /* @escapeNotVerified */ echo $block->getOrigTemplateCode() == $option['value'] ? ' selected="selected"' : '' ?>><?php echo $block->escapeHtml($option['label']) ?></option>
27+
<option value="<?php echo $block->escapeHtmlAttr($option['value']) ?>"<?php /* @noEscape */ echo $block->getOrigTemplateCode() == $option['value'] ? ' selected="selected"' : '' ?>><?php echo $block->escapeHtml($option['label']) ?></option>
2828
<?php endforeach; ?>
2929
<?php if ($group): ?>
3030
</optgroup>
@@ -36,24 +36,24 @@ use Magento\Framework\App\TemplateTypesInterface;
3636
<div class="admin__field required">
3737
<span class="admin__field-label"></span>
3838
<div class="admin__field-control">
39-
<?php echo $block->getLoadButtonHtml() ?>
39+
<?php /* @noEscape */ echo $block->getLoadButtonHtml() ?>
4040
</div>
4141
</div>
4242
</fieldset>
4343
</form>
4444
<?php endif ?>
4545

46-
<form action="<?php /* @escapeNotVerified */ echo $block->getSaveUrl() ?>" method="post" id="email_template_edit_form">
47-
<?php echo $block->getBlockHtml('formkey')?>
46+
<form action="<?php echo $block->escapeUrl($block->getSaveUrl()) ?>" method="post" id="email_template_edit_form">
47+
<?php /* @noEscape */ echo $block->getBlockHtml('formkey')?>
4848
<input type="hidden" id="change_flag_element" name="_change_type_flag" value="" />
49-
<input type="hidden" id="orig_template_code" name="orig_template_code" value="<?php /* @escapeNotVerified */ echo $block->getOrigTemplateCode() ?>" />
50-
<?php echo $block->getFormHtml() ?>
49+
<input type="hidden" id="orig_template_code" name="orig_template_code" value="<?php echo $block->escapeHtmlAttr($block->getOrigTemplateCode()) ?>" />
50+
<?php /* @noEscape */ echo $block->getFormHtml() ?>
5151
</form>
5252

53-
<form action="<?php /* @escapeNotVerified */ echo $block->getPreviewUrl() ?>" method="post" id="email_template_preview_form" target="_blank">
54-
<?php echo $block->getBlockHtml('formkey')?>
53+
<form action="<?php echo $block->escapeUrl($block->getPreviewUrl()) ?>" method="post" id="email_template_preview_form" target="_blank">
54+
<?php /* @noEscape */ echo $block->getBlockHtml('formkey')?>
5555
<div class="no-display">
56-
<input type="hidden" id="preview_type" name="type" value="<?php /* @escapeNotVerified */ echo $block->isTextType() ? 1 : 2 ?>" />
56+
<input type="hidden" id="preview_type" name="type" value="<?php /* @noEscape */ echo $block->isTextType() ? 1 : 2 ?>" />
5757
<input type="hidden" id="preview_text" name="text" value="" />
5858
<input type="hidden" id="preview_styles" name="styles" value="" />
5959
</div>
@@ -93,7 +93,7 @@ require([
9393

9494
this.bindEvents();
9595

96-
this.renderPaths(<?php /* @escapeNotVerified */ echo $block->getCurrentlyUsedForPaths(); ?>, 'currently_used_for');
96+
this.renderPaths(<?php /* @noEscape */ echo $block->getCurrentlyUsedForPaths(); ?>, 'currently_used_for');
9797
},
9898

9999
bindEvents: function(){
@@ -115,7 +115,7 @@ require([
115115
},
116116

117117
stripTags: function () {
118-
if(!window.confirm("<?php /* @escapeNotVerified */ echo __('Are you sure you want to strip tags?') ?>")) {
118+
if(!window.confirm("<?php echo $block->escapeJs($block->escapeHtml(__('Are you sure you want to strip tags?'))) ?>")) {
119119
return false;
120120
}
121121
this.unconvertedText = $('template_text').value;
@@ -146,9 +146,9 @@ require([
146146
},
147147
preview: function() {
148148
if (this.typeChange) {
149-
$('preview_type').value = <?php /* @escapeNotVerified */ echo TemplateTypesInterface::TYPE_TEXT ?>;
149+
$('preview_type').value = <?php /* @noEscape */ echo TemplateTypesInterface::TYPE_TEXT ?>;
150150
} else {
151-
$('preview_type').value = <?php /* @escapeNotVerified */ echo $block->getTemplateType() ?>;
151+
$('preview_type').value = <?php echo (int) $block->getTemplateType() ?>;
152152
}
153153
if (typeof tinyMCE == 'undefined' || !tinyMCE.getInstanceById('template_text')) {
154154
$('preview_text').value = $('template_text').value;
@@ -166,8 +166,8 @@ require([
166166
},
167167

168168
deleteTemplate: function() {
169-
if(window.confirm("<?php /* @escapeNotVerified */ echo __('Are you sure you want to delete this template?') ?>")) {
170-
window.location.href = '<?php /* @escapeNotVerified */ echo $block->getDeleteUrl() ?>';
169+
if(window.confirm("<?php echo $block->escapeJs($block->escapeHtml(__('Are you sure you want to delete this template?'))) ?>")) {
170+
window.location.href = '<?php echo $block->escapeJs($block->escapeUrl($block->getDeleteUrl())) ?>';
171171
}
172172
},
173173

@@ -212,7 +212,7 @@ require([
212212
}.bind(this));
213213
} else {
214214
alert({
215-
content: '<?php /* @escapeNotVerified */ echo __('The template did not load. Please review the log for details.') ?>'
215+
content: '<?php echo $block->escapeJs($block->escapeHtml(__('The template did not load. Please review the log for details.'))) ?>'
216216
});
217217
}
218218
}.bind(this)

app/code/Magento/Email/view/adminhtml/templates/template/preview.phtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@
1010
<html lang="en">
1111
<head>
1212
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
13-
<title><?php /* @escapeNotVerified */ echo __('Email Preview'); ?></title>
13+
<title><?php echo $block->escapeHtml(__('Email Preview')); ?></title>
1414
</head>
1515
<body>
1616
<?php echo $block->getChildHtml('content') ?>

app/code/Magento/PageCache/view/adminhtml/templates/page_cache_validation.phtml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,8 @@
33
* Copyright © 2016 Magento. All rights reserved.
44
* See COPYING.txt for license details.
55
*/
6-
?>
76

8-
<?php /** @var \Magento\PageCache\Block\System\Config\Form\Field\Export $block */
7+
/** @var \Magento\PageCache\Block\System\Config\Form\Field\Export $block */
98
?>
109
<script>
1110
require(['jquery'], function($){

app/code/Magento/PageCache/view/frontend/templates/javascript.phtml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,13 @@
33
* Copyright © 2016 Magento. All rights reserved.
44
* See COPYING.txt for license details.
55
*/
6+
7+
/** @var \Magento\PageCache\Block\Javascript $block */
68
?>
7-
<?php /** @var \Magento\PageCache\Block\Javascript $block */ ?>
89
<script type="text/x-magento-init">
910
{
1011
"body": {
11-
"pageCache": <?php /* @escapeNotVerified */ echo $block->getScriptOptions(); ?>
12+
"pageCache": <?php /* @noEscape */ echo $block->getScriptOptions(); ?>
1213
}
1314
}
1415
</script>

app/code/Magento/PageCache/view/frontend/templates/js/components.phtml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,5 +6,6 @@
66

77
// @codingStandardsIgnoreFile
88

9+
/** @var \Magento\Framework\View\Element\Js\Components $block */
910
?>
1011
<?php echo $block->getChildHtml() ?>

0 commit comments

Comments
 (0)