Merge remote-tracking branch 'origin/MAGETWO-56444' into borg-2.3

Author: nathanjosiah

app/code/Magento/Theme/i18n/en_US.csv

@@ -96,6 +96,7 @@ Phrase,Phrase
 testMessage,testMessage
 Edit,Edit
 "We found no files.","We found no files."
+"thumbnail","thumbnail"
 "Browse Files","Browse Files"
 Scope:,Scope:
 Remove,Remove

app/code/Magento/Theme/view/adminhtml/templates/browser/content.phtml

@@ -3,8 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-?>
-<?php
+
 /**
  * Wysiwyg Images content template
  *

app/code/Magento/Theme/view/adminhtml/templates/browser/content/files.phtml

@@ -4,25 +4,21 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
-?>
-
-<?php
 /** @var $block \Magento\Theme\Block\Adminhtml\Wysiwyg\Files\Content\Files */
 ?>
 
-<?php if ($block->getFilesCount() > 0): ?>
-    <?php foreach ($block->getFiles() as $file): ?>
-        <div class="filecnt file-font" id="<?= /* @escapeNotVerified */ $file['id'] ?>">
+<?php if ($block->getFilesCount() > 0) : ?>
+    <?php foreach ($block->getFiles() as $file) : ?>
+        <div class="filecnt file-font" id="<?= $block->escapeHtmlAttr($file['id']) ?>">
             <p class="nm">
-                <?= /* @escapeNotVerified */ $file['text'] ?>
-                <?php if (isset($file['thumbnailParams'])): ?>
-                    <img src="<?= /* @escapeNotVerified */ $block->getUrl('*/*/previewImage', $file['thumbnailParams']) ?>">
+                <?= $block->escapeHtml($file['text']) ?>
+                <?php if (isset($file['thumbnailParams'])) : ?>
+                    <img src="<?= $block->escapeUrl($block->getUrl('*/*/previewImage', $file['thumbnailParams'])) ?>"
+                         alt="<?= $block->escapeHtmlAttr(__('thumbnail')) ?>">
                 <?php endif; ?>
             </p>
         </div>
     <?php endforeach; ?>
-<?php else: ?>
-    <?= /* @escapeNotVerified */ __('We found no files.') ?>
+<?php else : ?>
+    <?= $block->escapeHtml(__('We found no files.')) ?>
 <?php endif; ?>

app/code/Magento/Theme/view/adminhtml/templates/browser/content/uploader.phtml

@@ -4,17 +4,14 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-?>
-<?php
 /** @var $block \Magento\Theme\Block\Adminhtml\Wysiwyg\Files\Content\Uploader */
 ?>
 
 <div id="<?= $block->getHtmlId() ?>" class="uploader">
     <span class="fileinput-button form-buttons">
-        <span><?= /* @escapeNotVerified */ __('Browse Files') ?></span>
-        <input id="fileupload" type="file" name="<?= /* @escapeNotVerified */ $block->getConfig()->getFileField() ?>"
-            data-url="<?= /* @escapeNotVerified */ $block->getConfig()->getUrl() ?>" multiple>
+        <span><?= $block->escapeHtml(__('Browse Files')) ?></span>
+        <input id="fileupload" type="file" name="<?= $block->escapeHtmlAttr($block->getConfig()->getFileField()) ?>"
+            data-url="<?= $block->escapeUrl($block->getConfig()->getUrl()) ?>" multiple>
     </span>
     <div class="clear"></div>
     <script id="<?= $block->getHtmlId() ?>-template" type="text/x-magento-template">
@@ -44,7 +41,7 @@ require([
             form_key: FORM_KEY
         },
         sequentialUploads: true,
-        maxFileSize: <?= /* @escapeNotVerified */ $block->getFileSizeService()->getMaxFileSize() ?> ,
+        maxFileSize: <?= $block->escapeJs($block->getFileSizeService()->getMaxFileSize()) ?> ,
         add: function (e, data) {
             var progressTmpl = mageTemplate('#<?= $block->getHtmlId() ?>-template'),
                 fileSize,

app/code/Magento/Theme/view/adminhtml/templates/design/config/edit/scope.phtml

@@ -4,12 +4,10 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
 /* @var $block \Magento\Theme\Block\Adminhtml\Design\Config\Edit\Scope */
 ?>
 
 <div class="store-view">
-    <span class="store-switcher-label"><?= /* @escapeNotVerified */ __('Scope:') ?></span>
-    <span class="store-switcher-value"><?= /* @escapeNotVerified */ $block->getScopeTitle() ?></span>
+    <span class="store-switcher-label"><?= $block->escapeHtml(__('Scope:')) ?></span>
+    <span class="store-switcher-value"><?= $block->escapeHtml($block->getScopeTitle()) ?></span>
 </div>

app/code/Magento/Theme/view/adminhtml/templates/tabs/css.phtml

@@ -3,10 +3,9 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+/** @var $block \Magento\Theme\Block\Adminhtml\System\Design\Theme\Edit\Tab\Css */
 ?>
 
-<?php /** @var $block \Magento\Theme\Block\Adminhtml\System\Design\Theme\Edit\Tab\Css */ ?>
-
 <?= $block->getFormHtml() ?>
 
 <script>
@@ -20,7 +19,7 @@ require([
     $( '#css_file_uploader' ).fileupload({
         dataType: 'json',
         replaceFileInput: false,
-        url : '<?= /* @escapeNotVerified */ $block->getUrl('*/system_design_theme/uploadcss') ?>',
+        url : '<?= $block->escapeJs($block->escapeUrl($block->getUrl('*/system_design_theme/uploadcss'))) ?>',
         acceptFileTypes: /(.|\/)(css)$/i,
 
         /**

app/code/Magento/Theme/view/adminhtml/templates/tabs/fieldset/js.phtml

@@ -4,9 +4,9 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
+// phpcs:disable Magento2.Templates.ThisInTemplate.FoundThis
+/** @var $block \Magento\Backend\Block\Widget\Form\Renderer\Fieldset */
 ?>
-<?php /** @var $block \Magento\Backend\Block\Widget\Form\Renderer\Fieldset */ ?>
 
 <div id="js-file-uploader" class="uploader">
 </div>
@@ -32,7 +32,7 @@
                 id="remove_js_files_<%- data.id %>"
                 name="js_removed_files[]"
                 value="<%- data.id %>" />
-            <label for="remove_js_files_<%- data.id %>"><?= /* @escapeNotVerified */ __('Remove') ?></label>
+            <label for="remove_js_files_<%- data.id %>"><?= $block->escapeHtml(__('Remove')) ?></label>
         </div>
     </div>
 
@@ -60,7 +60,9 @@ jQuery(function($) {
     });
     $('body').trigger(
         'refreshJsList',
-        {jsList: <?= /* @escapeNotVerified */ $this->helper('Magento\Framework\Json\Helper\Data')->jsonEncode($block->getJsFiles()) ?>}
+        {
+            jsList: <?= /* @noEscape */ $this->helper(Magento\Framework\Json\Helper\Data::class)->jsonEncode($block->getJsFiles()) ?>
+        }
     );
 });
 

app/code/Magento/Theme/view/adminhtml/templates/tabs/js.phtml

@@ -3,8 +3,9 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+
+/** @var $block \Magento\Theme\Block\Adminhtml\System\Design\Theme\Edit\Tab\Js */
 ?>
-<?php /** @var $block \Magento\Theme\Block\Adminhtml\System\Design\Theme\Edit\Tab\Js */ ?>
 <?= $block->getFormHtml() ?>
 
 <script>
@@ -21,7 +22,7 @@ require([
         dataType: 'json',
         replaceFileInput: false,
         sequentialUploads: true,
-        url: '<?= /* @escapeNotVerified */ $block->getJsUploadUrl() ?>',
+        url: '<?= $block->escapeJs($block->escapeUrl($block->getJsUploadUrl())) ?>',
 
         /**
          * Add data

app/code/Magento/Theme/view/adminhtml/templates/title.phtml

@@ -4,17 +4,15 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
 /**
  * @var $block \Magento\Theme\Block\Html\Title
  */
-$titleId = ($block->getTitleId()) ? ' id="' . $block->getTitleId() . '"' : '';
+$titleIdHtml = ($block->getTitleId()) ? ' id="' . $block->escapeHtmlAttr($block->getTitleId()) . '"' : '';
 $titleClass = ($block->getTitleClass()) ? ' ' . $block->getTitleClass() : '';
-$title = $block->escapeHtml($block->getPageTitle());
+$title = $block->getPageTitle();
 ?>
 
-<div class="page-title-wrapper<?= /* @escapeNotVerified */ $titleClass ?>">
-    <h1 class="page-title"<?= /* @escapeNotVerified */ $titleId ?>><?= /* @escapeNotVerified */ $title ?></h1>
+<div class="page-title-wrapper<?= $block->escapeHtmlAttr($titleClass) ?>">
+    <h1 class="page-title"<?= /* @noEscape */ $titleIdHtml ?>><?= $block->escapeHtml($title) ?></h1>
     <?= $block->getChildHtml() ?>
 </div>

app/code/Magento/Theme/view/base/templates/root.phtml

@@ -3,18 +3,17 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <!doctype html>
-<html <?= /* @escapeNotVerified */ $htmlAttributes ?>>
-    <head <?= /* @escapeNotVerified */ $headAttributes ?>>
-        <?= /* @escapeNotVerified */ $requireJs ?>
-        <?= /* @escapeNotVerified */ $headContent ?>
-        <?= /* @escapeNotVerified */ $headAdditional ?>
+<html <?= /* @noEscape */ $htmlAttributes ?>>
+    <head <?= /* @noEscape */ $headAttributes ?>>
+        <?= /* @noEscape */ $requireJs ?>
+        <?= /* @noEscape */ $headContent ?>
+        <?= /* @noEscape */ $headAdditional ?>
     </head>
-    <body data-container="body" data-mage-init='{"loaderAjax": {}, "loader": { "icon": "<?= /* @escapeNotVerified */ $loaderIcon ?>"}}' <?= /* @escapeNotVerified */ $bodyAttributes ?>>
-        <?= /* @escapeNotVerified */ $layoutContent ?>
+    <body data-container="body"
+          data-mage-init='{"loaderAjax": {}, "loader": { "icon": "<?= /* @noEscape */ $loaderIcon ?>"}}'
+        <?= /* @noEscape */ $bodyAttributes ?>>
+        <?= /* @noEscape */ $layoutContent ?>
     </body>
 </html>