Merge remote-tracking branch 'remotes/mainline/2.3.3-develop' into MC-15972-squashed

danmooney2 · danmooney2 · commit eeda4f4a0b49 · 2019-06-14T11:57:41.000-05:00
diff --git a/app/code/Magento/Catalog/view/frontend/templates/product/view/form.phtml b/app/code/Magento/Catalog/view/frontend/templates/product/view/form.phtml
@@ -22,7 +22,7 @@
         <input type="hidden" name="product" value="<?= (int)$_product->getId() ?>" />
         <input type="hidden" name="selected_configurable_option" value="" />
         <input type="hidden" name="related_product" id="related-products-field" value="" />
-        <input type="hidden" name="item"  value="<?= $block->escapeHtmlAttr($block->getRequest()->getParam('id')) ?>" />
+        <input type="hidden" name="item"  value="<?= (int)$block->getRequest()->getParam('id') ?>" />
         <?= $block->getBlockHtml('formkey') ?>
         <?= $block->getChildHtml('form_top') ?>
         <?php if (!$block->hasOptions()) :?>
diff --git a/app/code/Magento/Checkout/view/frontend/web/js/action/select-payment-method.js b/app/code/Magento/Checkout/view/frontend/web/js/action/select-payment-method.js
@@ -12,6 +12,10 @@ define([
     'use strict';
 
     return function (paymentMethod) {
+        paymentMethod.__disableTmpl = {
+            title: true
+        };
+
         quote.paymentMethod(paymentMethod);
     };
 });
diff --git a/app/code/Magento/CurrencySymbol/view/adminhtml/templates/system/currency/rate/matrix.phtml b/app/code/Magento/CurrencySymbol/view/adminhtml/templates/system/currency/rate/matrix.phtml
@@ -28,7 +28,7 @@ $_rates = ($_newRates) ? $_newRates : $_oldRates;
                     <tr>
                         <th>&nbsp;</th>
                         <?php $_i = 0; foreach ($block->getAllowedCurrencies() as $_currencyCode): ?>
-                            <th><span><?= /* @escapeNotVerified */ $_currencyCode ?></span></th>
+                            <th><span><?= $block->escapeHtml($_currencyCode) ?></span></th>
                         <?php endforeach; ?>
                     </tr>
                 </thead>
diff --git a/app/code/Magento/Customer/Controller/Adminhtml/Index/InlineEdit.php b/app/code/Magento/Customer/Controller/Adminhtml/Index/InlineEdit.php
@@ -70,6 +70,11 @@ class InlineEdit extends \Magento\Backend\App\Action implements HttpPostActionIn
      */
     private $addressRegistry;
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * @param Action\Context $context
      * @param CustomerRepositoryInterface $customerRepository
@@ -78,6 +83,7 @@ class InlineEdit extends \Magento\Backend\App\Action implements HttpPostActionIn
      * @param \Magento\Framework\Api\DataObjectHelper $dataObjectHelper
      * @param \Psr\Log\LoggerInterface $logger
      * @param AddressRegistry|null $addressRegistry
+     * @param \Magento\Framework\Escaper $escaper
      */
     public function __construct(
         Action\Context $context,
@@ -86,14 +92,16 @@ public function __construct(
         \Magento\Customer\Model\Customer\Mapper $customerMapper,
         \Magento\Framework\Api\DataObjectHelper $dataObjectHelper,
         \Psr\Log\LoggerInterface $logger,
-        AddressRegistry $addressRegistry = null
+        AddressRegistry $addressRegistry = null,
+        \Magento\Framework\Escaper $escaper = null
     ) {
         $this->customerRepository = $customerRepository;
         $this->resultJsonFactory = $resultJsonFactory;
         $this->customerMapper = $customerMapper;
         $this->dataObjectHelper = $dataObjectHelper;
         $this->logger = $logger;
         $this->addressRegistry = $addressRegistry ?: ObjectManager::getInstance()->get(AddressRegistry::class);
+        $this->escaper = $escaper ?: ObjectManager::getInstance()->get(\Magento\Framework\Escaper::class);
         parent::__construct($context);
     }
 
@@ -128,10 +136,14 @@ public function execute()
 
         $postItems = $this->getRequest()->getParam('items', []);
         if (!($this->getRequest()->getParam('isAjax') && count($postItems))) {
-            return $resultJson->setData([
-                'messages' => [__('Please correct the data sent.')],
-                'error' => true,
-            ]);
+            return $resultJson->setData(
+                [
+                    'messages' => [
+                        __('Please correct the data sent.')
+                    ],
+                    'error' => true,
+                ]
+            );
         }
 
         foreach (array_keys($postItems) as $customerId) {
@@ -147,10 +159,12 @@ public function execute()
             $this->getEmailNotification()->credentialsChanged($this->getCustomer(), $currentCustomer->getEmail());
         }
 
-        return $resultJson->setData([
-            'messages' => $this->getErrorMessages(),
-            'error' => $this->isErrorExists()
-        ]);
+        return $resultJson->setData(
+            [
+                'messages' => $this->getErrorMessages(),
+                'error' => $this->isErrorExists()
+            ]
+        );
     }
 
     /**
@@ -234,13 +248,16 @@ protected function saveCustomer(CustomerInterface $customer)
             $this->disableAddressValidation($customer);
             $this->customerRepository->save($customer);
         } catch (\Magento\Framework\Exception\InputException $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId($e->getMessage()));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId($this->escaper->escapeHtml($e->getMessage())));
             $this->logger->critical($e);
         } catch (\Magento\Framework\Exception\LocalizedException $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId($e->getMessage()));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId($this->escaper->escapeHtml($e->getMessage())));
             $this->logger->critical($e);
         } catch (\Exception $e) {
-            $this->getMessageManager()->addError($this->getErrorWithCustomerId('We can\'t save the customer.'));
+            $this->getMessageManager()
+                ->addError($this->getErrorWithCustomerId('We can\'t save the customer.'));
             $this->logger->critical($e);
         }
     }
diff --git a/app/code/Magento/Customer/Model/AttributeMetadataResolver.php b/app/code/Magento/Customer/Model/AttributeMetadataResolver.php
@@ -113,7 +113,12 @@ public function getAttributesMeta(
         // use getDataUsingMethod, since some getters are defined and apply additional processing of returning value
         foreach (self::$metaProperties as $metaName => $origName) {
             $value = $attribute->getDataUsingMethod($origName);
-            $meta['arguments']['data']['config'][$metaName] = ($metaName === 'label') ? __($value) : $value;
+            if ($metaName === 'label') {
+                $meta['arguments']['data']['config'][$metaName] = __($value);
+                $meta['arguments']['data']['config']['__disableTmpl'] = [$metaName => true];
+            } else {
+                $meta['arguments']['data']['config'][$metaName] = $value;
+            }
             if ('frontend_input' === $origName) {
                 $meta['arguments']['data']['config']['formElement'] = self::$formElement[$value] ?? $value;
             }
@@ -144,7 +149,6 @@ public function getAttributesMeta(
             $attribute,
             $meta['arguments']['data']['config']
         );
-
         return $meta;
     }
 
diff --git a/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/InlineEditTest.php b/app/code/Magento/Customer/Test/Unit/Controller/Adminhtml/Index/InlineEditTest.php
@@ -9,6 +9,7 @@
 use Magento\Customer\Model\EmailNotificationInterface;
 use Magento\Framework\DataObject;
 use Magento\Framework\Message\MessageInterface;
+use Magento\Framework\Escaper;
 
 /**
  * Unit tests for Inline customer edit
@@ -78,6 +79,9 @@ class InlineEditTest extends \PHPUnit\Framework\TestCase
     /** @var array */
     private $items;
 
+    /** @var \Magento\Framework\Escaper */
+    private $escaper;
+
     /**
      * Sets up mocks
      *
@@ -86,7 +90,7 @@ class InlineEditTest extends \PHPUnit\Framework\TestCase
     protected function setUp()
     {
         $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
-
+        $this->escaper = new Escaper();
         $this->request = $this->getMockForAbstractClass(
             \Magento\Framework\App\RequestInterface::class,
             [],
@@ -172,7 +176,8 @@ protected function setUp()
                 'addressDataFactory' => $this->addressDataFactory,
                 'addressRepository' => $this->addressRepository,
                 'logger' => $this->logger,
-                'addressRegistry' => $this->addressRegistry
+                'addressRegistry' => $this->addressRegistry,
+                'escaper' => $this->escaper,
             ]
         );
         $reflection = new \ReflectionClass(get_class($this->controller));
@@ -291,10 +296,14 @@ protected function prepareMocksForErrorMessagesProcessing()
             ->willReturn('Error text');
         $this->resultJson->expects($this->once())
             ->method('setData')
-            ->with([
-                'messages' => ['Error text'],
-                'error' => true,
-            ])
+            ->with(
+                [
+                    'messages' => [
+                        'Error text',
+                    ],
+                    'error' => true,
+                ]
+            )
             ->willReturnSelf();
     }
 
@@ -340,10 +349,14 @@ public function testExecuteWithoutItems()
         $this->resultJson
             ->expects($this->once())
             ->method('setData')
-            ->with([
-                'messages' => [__('Please correct the data sent.')],
-                'error' => true,
-            ])
+            ->with(
+                [
+                    'messages' => [
+                        __('Please correct the data sent.'),
+                    ],
+                    'error' => true,
+                ]
+            )
             ->willReturnSelf();
         $this->assertSame($this->resultJson, $this->controller->execute());
     }
@@ -365,6 +378,7 @@ public function testExecuteLocalizedException()
             ->method('save')
             ->with($this->customerData)
             ->willThrowException($exception);
+
         $this->messageManager->expects($this->once())
             ->method('addError')
             ->with('[Customer ID: 12] Exception message');
diff --git a/app/code/Magento/Payment/Ui/Component/Listing/Column/Method/Options.php b/app/code/Magento/Payment/Ui/Component/Listing/Column/Method/Options.php
@@ -3,6 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
+declare(strict_types=1);
 namespace Magento\Payment\Ui\Component\Listing\Column\Method;
 
 /**
@@ -41,6 +42,14 @@ public function toOptionArray()
         if ($this->options === null) {
             $this->options = $this->paymentHelper->getPaymentMethodList(true, true);
         }
+
+        array_walk(
+            $this->options,
+            function (&$item) {
+                $item['__disableTmpl'] = true;
+            }
+        );
+
         return $this->options;
     }
 }
diff --git a/app/code/Magento/Store/etc/config.xml b/app/code/Magento/Store/etc/config.xml
@@ -135,14 +135,14 @@
                 </protected_extensions>
                 <public_files_valid_paths>
                     <protected>
-                        <app>/app/*/*</app>
-                        <bin>/bin/*/*</bin>
-                        <dev>/dev/*/*</dev>
-                        <generated>/generated/*/*</generated>
-                        <lib>/lib/*/*</lib>
-                        <setup>/setup/*/*</setup>
-                        <update>/update/*/*</update>
-                        <vendor>/vendor/*/*</vendor>
+                        <app>*/app/*/*</app>
+                        <bin>*/bin/*/*</bin>
+                        <dev>*/dev/*/*</dev>
+                        <generated>*/generated/*/*</generated>
+                        <lib>*/lib/*/*</lib>
+                        <setup>*/setup/*/*</setup>
+                        <update>*/update/*/*</update>
+                        <vendor>*/vendor/*/*</vendor>
                     </protected>
                 </public_files_valid_paths>
             </file>
diff --git a/app/code/Magento/Ui/view/base/web/js/grid/filters/filters.js b/app/code/Magento/Ui/view/base/web/js/grid/filters/filters.js
@@ -274,7 +274,8 @@ define([
             filter = utils.extend({}, filters.base, filter);
             //Accepting labels as is.
             filter.__disableTmpl = {
-                label: 1
+                label: 1,
+                options: 1
             };
 
             filter = utils.template(filter, {
diff --git a/app/code/Magento/Wishlist/Controller/Index/Add.php b/app/code/Magento/Wishlist/Controller/Index/Add.php
@@ -7,15 +7,18 @@
 
 use Magento\Catalog\Api\ProductRepositoryInterface;
 use Magento\Framework\App\Action;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\Framework\Data\Form\FormKey\Validator;
 use Magento\Framework\Exception\NotFoundException;
 use Magento\Framework\Exception\NoSuchEntityException;
 use Magento\Framework\Controller\ResultFactory;
 
 /**
+ * Wish list Add controller
+ *
  * @SuppressWarnings(PHPMD.CouplingBetweenObjects)
  */
-class Add extends \Magento\Wishlist\Controller\AbstractIndex
+class Add extends \Magento\Wishlist\Controller\AbstractIndex implements HttpPostActionInterface
 {
     /**
      * @var \Magento\Wishlist\Controller\WishlistProviderInterface
@@ -138,6 +141,7 @@ public function execute()
                     'referer' => $referer
                 ]
             );
+            // phpcs:disable Magento2.Exceptions.ThrowCatch
         } catch (\Magento\Framework\Exception\LocalizedException $e) {
             $this->messageManager->addErrorMessage(
                 __('We can\'t add the item to Wish List right now: %1.', $e->getMessage())
diff --git a/dev/tests/integration/testsuite/Magento/Wishlist/Controller/Index/PluginTest.php b/dev/tests/integration/testsuite/Magento/Wishlist/Controller/Index/PluginTest.php
@@ -50,6 +50,7 @@ protected function tearDown()
      */
     public function testAddActionProductWithInvalidCredentials(): void
     {
+        $this->getRequest()->setMethod('POST');
         $this->getRequest()->setPostValue(
             [
                 'login' => [
diff --git a/dev/tests/integration/testsuite/Magento/Wishlist/Controller/IndexTest.php b/dev/tests/integration/testsuite/Magento/Wishlist/Controller/IndexTest.php
@@ -98,9 +98,12 @@ public function testAddActionProductNameXss()
     {
         /** @var \Magento\Framework\Data\Form\FormKey $formKey */
         $formKey = $this->_objectManager->get(\Magento\Framework\Data\Form\FormKey::class);
-        $this->getRequest()->setPostValue([
-            'form_key' => $formKey->getFormKey(),
-        ]);
+        $this->getRequest()->setMethod('POST');
+        $this->getRequest()->setPostValue(
+            [
+                'form_key' => $formKey->getFormKey(),
+            ]
+        );
 
         /** @var \Magento\Catalog\Api\ProductRepositoryInterface $productRepository */
         $productRepository = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()
