MC-16618: Eliminate @escapeNotVerified in Sales-related Modules

- Resolve admin CR comments

Author: davemacaulay

app/code/Magento/Sales/view/adminhtml/templates/order/create/coupons/form.phtml

@@ -5,10 +5,7 @@
  */
 ?>
 <?php
-/**
- * \Magento\Sales\Block\Adminhtml\Order\Create\Coupons
- *
- */
+/* @var \Magento\Sales\Block\Adminhtml\Order\Create\Coupons $block */
 ?>
 <div class="admin__field field-apply-coupon-code">
     <label class="admin__field-label"><span><?= $block->escapeHtml(__('Apply Coupon Code')) ?></span></label>
@@ -18,7 +15,7 @@
         <?php if ($block->getCouponCode()) : ?>
         <p class="added-coupon-code">
             <span><?= $block->escapeHtml($block->getCouponCode()) ?></span>
-            <a href="#" onclick="order.applyCoupon(''); return false;" title="<?= $block->escapeHtml(__('Remove Coupon Code')) ?>"
+            <a href="#" onclick="order.applyCoupon(''); return false;" title="<?= $block->escapeHtmlAttr(__('Remove Coupon Code')) ?>"
                class="action-remove"><span><?= $block->escapeHtml(__('Remove')) ?></span></a>
         </p>
         <?php endif; ?>

app/code/Magento/Sales/view/adminhtml/templates/order/create/form/address.phtml

@@ -4,6 +4,8 @@
  * See COPYING.txt for license details.
  */
 
+/** @var \Magento\Sales\Block\Adminhtml\Order\Create\Form\Address $block */
+
 /**
  * @var \Magento\Customer\Model\ResourceModel\Address\Collection $addressCollection
  */
@@ -66,7 +68,7 @@ endif; ?>
             <?php $_id = $block->getForm()->getHtmlIdPrefix() . 'customer_address_id' ?>
             <div class="admin__field-control">
                 <select id="<?= $block->escapeHtmlAttr($_id) ?>"
-                        name="<?= $block->getForm()->getHtmlNamePrefix() ?>[customer_address_id]"
+                        name="<?= $block->escapeHtmlAttr($block->getForm()->getHtmlNamePrefix()) ?>[customer_address_id]"
                         onchange="order.selectAddress(this, '<?= $block->escapeJs($_fieldsContainerId) ?>')"
                         class="admin__control-select">
                     <option value=""><?= $block->escapeHtml(__('Add New Address')) ?></option>
@@ -85,8 +87,8 @@ endif; ?>
         <?= $block->getForm()->toHtml() ?>
 
         <div class="admin__field admin__field-option order-save-in-address-book">
-            <input name="<?= $block->getForm()->getHtmlNamePrefix() ?>[save_in_address_book]" type="checkbox" id="<?= $block->getForm()->getHtmlIdPrefix() ?>save_in_address_book" value="1"<?php if (!$block->getDontSaveInAddressBook()) : ?> checked="checked"<?php endif; ?> class="admin__control-checkbox"/>
-            <label for="<?= $block->getForm()->getHtmlIdPrefix() ?>save_in_address_book"
+            <input name="<?= $block->escapeHtmlAttr($block->getForm()->getHtmlNamePrefix()) ?>[save_in_address_book]" type="checkbox" id="<?= $block->escapeHtmlAttr($block->getForm()->getHtmlIdPrefix()) ?>save_in_address_book" value="1"<?php if (!$block->getDontSaveInAddressBook()) : ?> checked="checked"<?php endif; ?> class="admin__control-checkbox"/>
+            <label for="<?= $block->escapeHtmlAttr($block->getForm()->getHtmlIdPrefix()) ?>save_in_address_book"
                    class="admin__field-label"><?= $block->escapeHtml(__('Save in address book')) ?></label>
         </div>
     </div>

app/code/Magento/Sales/view/adminhtml/templates/order/create/sidebar.phtml

@@ -13,7 +13,7 @@
     <?php foreach ($block->getLayout()->getChildBlocks($block->getNameInLayout()) as $_alias => $_child) : ?>
         <?php if ($_alias != 'top_button' && $_alias != 'bottom_button') : ?>
             <?php if ($block->canDisplay($_child)) : ?>
-                <div class="order-sidebar-block" id="order-sidebar_<?= /* @noEscape */ $_alias ?>">
+                <div class="order-sidebar-block" id="order-sidebar_<?= $block->escapeHtmlAttr($_alias) ?>">
                     <?= $block->getChildHtml($_alias) ?>
                 </div>
             <?php endif; ?>

app/code/Magento/Sales/view/adminhtml/templates/order/create/sidebar/items.phtml

@@ -90,14 +90,14 @@
                                     <a href="#"
                                        class="icon icon-configure"
                                        title="<?= $block->escapeHtml(__('Configure and Add to Order')) ?>"
-                                       onclick="order.sidebarConfigureProduct('<?= 'sidebar_wishlist' ?>', <?= (int) $block->getProductId($_item) ?>, <?= (int) $block->getItemId($_item) ?>); return false;">
+                                       onclick="order.sidebarConfigureProduct('sidebar_wishlist', <?= (int) $block->getProductId($_item) ?>, <?= (int) $block->getItemId($_item) ?>); return false;">
                                         <span><?= $block->escapeHtml(__('Configure and Add to Order')) ?></span>
                                     </a>
                                 <?php elseif ($block->isConfigurationRequired($_item->getTypeId())) : ?>
                                     <a href="#"
                                        class="icon icon-configure"
                                        title="<?= $block->escapeHtml(__('Configure and Add to Order')) ?>"
-                                       onclick="order.sidebarConfigureProduct('<?= 'sidebar' ?>', <?= (int) $block->getProductId($_item) ?>); return false;">
+                                       onclick="order.sidebarConfigureProduct('sidebar', <?= (int) $block->getProductId($_item) ?>); return false;">
                                         <span><?= $block->escapeHtml(__('Configure and Add to Order')) ?></span>
                                     </a>
                                 <?php else : ?>

app/code/Magento/Sales/view/adminhtml/templates/order/creditmemo/create/totals/adjustments.phtml

@@ -11,7 +11,7 @@
         <td>
             <input type="text"
                    name="creditmemo[shipping_amount]"
-                   value="<?= /* @noEscape */ $block->getShippingAmount() ?>"
+                   value="<?= $block->escapeHtmlAttr($block->getShippingAmount()) ?>"
                    class="input-text admin__control-text not-negative-amount"
                    id="shipping_amount" />
         </td>
@@ -21,7 +21,7 @@
         <td>
             <input type="text"
                    name="creditmemo[adjustment_positive]"
-                   value="<?= /* @noEscape */ $_source->getBaseAdjustmentPositive() ?>"
+                   value="<?= $block->escapeHtmlAttr($_source->getBaseAdjustmentPositive()) ?>"
                    class="input-text admin__control-text not-negative-amount"
                    id="adjustment_positive" />
         </td>
@@ -31,15 +31,15 @@
         <td>
             <input type="text"
                    name="creditmemo[adjustment_negative]"
-                   value="<?= /* @noEscape */ $_source->getBaseAdjustmentNegative() ?>"
+                   value="<?= $block->escapeHtmlAttr($_source->getBaseAdjustmentNegative()) ?>"
                    class="input-text admin__control-text not-negative-amount"
                    id="adjustment_negative"/>
             <script>
                 require(['prototype'], function(){
 
                 //<![CDATA[
                 Validation.addAllThese([
-                    ['not-negative-amount', '<?= $block->escapeHtml(__('Please enter a positive number in this field.')) ?>', function(v) {
+                    ['not-negative-amount', '<?= $block->escapeJs(__('Please enter a positive number in this field.')) ?>', function(v) {
                         if(v.length)
                             return /^\s*\d+([,.]\d+)*\s*%?\s*$/.test(v);
                         else

app/code/Magento/Sales/view/adminhtml/templates/order/invoice/create/form.phtml

@@ -91,7 +91,7 @@ require(['prototype'], function(){
     }
 
     /*forced creating of shipment*/
-    var forcedShipmentCreate = <?= /* @noEscape */ $block->getForcedShipmentCreate() ?>;
+    var forcedShipmentCreate = <?= (int) $block->getForcedShipmentCreate() ?>;
     var shipmentElement = $('invoice_do_shipment');
     if (forcedShipmentCreate && shipmentElement) {
         shipmentElement.checked = true;

app/code/Magento/Sales/view/adminhtml/templates/order/totals/item.phtml

@@ -11,10 +11,14 @@
     <tr>
         <td class="label">
             <?php if ($block->getStrong()) : ?>
-                <strong><?php endif; ?><?= $block->escapeHtml(__($block->getLabel())) ?><?php if ($block->getStrong()) : ?></strong>
+                <strong>
+            <?php endif; ?>
+            <?= $block->escapeHtml(__($block->getLabel())) ?>
+            <?php if ($block->getStrong()) : ?>
+                </strong>
             <?php endif; ?>
         </td>
-        <td <?= $block->getHtmlClass() ? ('class="' . $block->getHtmlClass() . '"') : '' ?>>
+        <td <?= $block->getHtmlClass() ? ('class="' . $block->escapeHtmlAttr($block->getHtmlClass()) . '"') : '' ?>>
             <?php if ($block->getStrong()) : ?><strong><?php endif; ?>
             <?= /* @noEscape */ $block->displayPriceAttribute($block->getSourceField()) ?>
             <?php if ($block->getStrong()) : ?></strong><?php endif; ?>

app/code/Magento/Sales/view/adminhtml/templates/order/view/giftmessage.phtml

@@ -8,7 +8,7 @@
 ?>
 <?php if ($block->canDisplayGiftmessage()) : ?>
     <?php $_required = $block->getMessage()->getMessage() != '' ?>
-    <div id="<?= $block->getHtmlId() ?>" class="admin__page-section-content giftmessage-whole-order-container">
+    <div id="<?= $block->escapeHtmlAttr($block->getHtmlId()) ?>" class="admin__page-section-content giftmessage-whole-order-container">
         <form class="entry-edit form-inline" id="<?= $block->escapeHtmlAttr($block->getFieldId('form')) ?>" action="<?= $block->escapeUrl($block->getSaveUrl()) ?>">
             <fieldset class="admin__fieldset">
                 <legend class="admin__legend"><span><?= $block->escapeHtml(__('Gift Message for the Entire Order')) ?></span></legend>

app/code/Magento/Sales/view/adminhtml/templates/order/view/history.phtml

@@ -15,7 +15,7 @@
                 <div class="admin__field-control">
                     <select name="history[status]" id="history_status" class="admin__control-select">
                         <?php foreach ($block->getStatuses() as $_code => $_label) : ?>
-                            <option value="<?= $block->escapeHtml($_code) ?>"<?php if ($_code == $block->getOrder()->getStatus()) : ?> selected="selected"<?php endif; ?>><?= $block->escapeHtml($_label) ?></option>
+                            <option value="<?= $block->escapeHtmlAttr($_code) ?>"<?php if ($_code == $block->getOrder()->getStatus()) : ?> selected="selected"<?php endif; ?>><?= $block->escapeHtml($_label) ?></option>
                         <?php endforeach; ?>
                     </select>
                 </div>

app/code/Magento/Sales/view/adminhtml/templates/order/view/items.phtml

@@ -17,7 +17,7 @@ $_order = $block->getOrder() ?>
                 $lastItemNumber = count($columns) ?>
                 <?php foreach ($columns as $columnName => $columnTitle) : ?>
                     <?php $i++; ?>
-                    <th class="col-<?= /* @noEscape */ $columnName ?><?= /* @noEscape */ ($i === $lastItemNumber ? ' last' : '') ?>"><span><?= $block->escapeHtml($columnTitle) ?></span></th>
+                    <th class="col-<?= $block->escapeHtmlAttr($columnName) ?><?= /* @noEscape */ ($i === $lastItemNumber ? ' last' : '') ?>"><span><?= $block->escapeHtml($columnTitle) ?></span></th>
                 <?php endforeach; ?>
             </tr>
         </thead>