Merge remote-tracking branch 'mainline/2.3-develop' into MC-16650

Author: krissyhiserote

.editorconfig

@@ -0,0 +1,12 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+indent_size = 4
+indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.md]
+trim_trailing_whitespace = false

.github/CONTRIBUTING.md

@@ -11,7 +11,7 @@ The Magento 2 development team or community maintainers will review all issues a
 During the review we might require clarifications from the contributor.
 If there is no response from the contributor within two weeks, the pull request will be closed.
 
-For more detialed information on contribution please read our [beginners guide](https://github.com/magento/magento2/wiki/Getting-Started).
+For more detailed information on contribution please read our [beginners guide](https://github.com/magento/magento2/wiki/Getting-Started).
 
 ## Contribution requirements
 

CHANGELOG.md

@@ -20,10 +20,10 @@ To learn about issues, click [here][2]. To open an issue, click [here][3].
 
 To suggest documentation improvements, click [here][4].
 
-[1]: <https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html>
-[2]: <https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#report>
-[3]: <https://github.com/magento/magento2/issues>
-[4]: <https://devdocs.magento.com>
+[1]: https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html
+[2]: https://devdocs.magento.com/guides/v2.3/contributor-guide/contributing.html#report
+[3]: https://github.com/magento/magento2/issues
+[4]: https://devdocs.magento.com
 
 <h3>Community Maintainers</h3>
 The members of this team have been recognized for their outstanding commitment to maintaining and improving Magento. Magento has granted them permission to accept, merge, and reject pull requests, as well as review issues, and thanks these Community Maintainers for their valuable contributions.

README.md

@@ -0,0 +1,10 @@
+# Reporting Security Issues
+
+Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants. 
+
+## Where should I report security issues?
+
+We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento).  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at `psirt@adobe.com` with details and repro steps.  
+
+## Learning More About Security
+To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).

SECURITY.md

@@ -5,6 +5,8 @@
  */
 namespace Magento\AdminNotification\Model;
 
+use Magento\Framework\Escaper;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Config\ConfigOptionsListConstants;
 
 /**
@@ -25,6 +27,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +84,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +98,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(
+            Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +265,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/AdminNotification/Model/Feed.php

@@ -1,4 +1,40 @@
-# Admin Notification
+# Magento_AdminNotification module
 
-**Admin Notification** provides the ability to alert administrators via
-system messages and provides a message inbox for surveys and notifications.
+The Magento_AdminNotification module provides the ability to alert administrators via system messages and provides a message inbox for surveys and notifications.
+
+## Installation details
+
+The Magento_AdminNotification module creates the following tables in the database:
+- `adminnotification_inbox`
+- `admin_system_messages`
+
+Before disabling or uninstalling this module, note that the Magento_Indexer module depends on this module.
+
+For information about module installation in Magento 2, see [Enable or disable modules](https://devdocs.magento.com/guides/v2.3/install-gde/install/cli/install-cli-subcommands-enable.html).
+
+## Extensibility
+
+Extension developers can interact with the Magento_AdminNotification module. For more information about the Magento extension mechanism, see [Magento plug-ins](https://devdocs.magento.com/guides/v2.3/extension-dev-guide/plugins.html).
+
+[The Magento dependency injection mechanism](https://devdocs.magento.com/guides/v2.3/extension-dev-guide/depend-inj.html) enables you to override the functionality of the Magento_AdminNotification module.
+
+### Events
+
+This module observes the following events:
+
+ - `controller_action_predispatch` event in `Magento\AdminNotification\Observer\PredispatchAdminActionControllerObserver` file.
+
+### Layouts
+
+This module introduces the following layouts and layout handles in the `view/adminhtml/layout` directory:
+
+- `adminhtml_notification_index`
+- `adminhtml_notification_block`
+
+For more information about layouts in Magento 2, see the [Layout documentation](https://devdocs.magento.com/guides/v2.3/frontend-dev-guide/layouts/layout-overview.html).
+
+### UI components
+
+You can extend admin notifications using the `view/adminhtml/ui_component/notification_area.xml` configuration file.
+
+For information about UI components in Magento 2, see [Overview of UI components](https://devdocs.magento.com/guides/v2.3/ui_comp_guide/bk-ui_comps.html).

app/code/Magento/AdminNotification/README.md

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ /**
+  * Copyright © Magento, Inc. All rights reserved.
+  * See COPYING.txt for license details.
+  */
+-->
+
+<sections xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
+    <section name="AdminSystemMessagesSection">
+        <element name="systemMessagesDropdown" type="button" selector="#system_messages .message-system-action-dropdown"/>
+        <element name="actionMessageLog" type="button" selector="//*[contains(@class, 'message-system-summary')]/a[contains(text(), '{{textMessage}}')]" parameterized="true"/>
+    </section>
+</sections>

app/code/Magento/AdminNotification/Test/Mftf/Section/AdminSystemMessagesSection.xml

@@ -5,13 +5,14 @@
         "sort-packages": true
     },
     "require": {
-        "php": "~7.1.3||~7.2.0",
+        "php": "~7.1.3||~7.2.0||~7.3.0",
         "lib-libxml": "*",
         "magento/framework": "*",
         "magento/module-backend": "*",
         "magento/module-media-storage": "*",
         "magento/module-store": "*",
-        "magento/module-ui": "*"
+        "magento/module-ui": "*",
+        "magento/module-config": "*"
     },
     "type": "magento2-module",
     "license": [

app/code/Magento/AdminNotification/composer.json

@@ -4,10 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
-?>
-<?php
 /**
  * @see \Magento\AdminNotification\Block\Window
  */
@@ -19,11 +15,13 @@
             "autoOpen": true,
             "buttons": false,
             "modalClass": "modal-system-messages",
-            "title": "<?= /* @escapeNotVerified */ $block->getHeaderText() ?>"
+            "title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
         }
     }'>
     <li class="message message-warning warning">
-        <?= /* @escapeNotVerified */ $block->getNoticeMessageText() ?><br/>
-        <a href="<?= /* @escapeNotVerified */ $block->getNoticeMessageUrl() ?>"><?= /* @escapeNotVerified */ $block->getReadDetailsText() ?></a>
+        <?= $block->escapeHtml($block->getNoticeMessageText()) ?><br/>
+        <a href="<?= $block->escapeUrl($block->getNoticeMessageUrl()) ?>">
+            <?= $block->escapeHtml($block->getReadDetailsText()) ?>
+        </a>
     </li>
 </ul>