Skip to content

Commit f2aeeb8

Browse files
committed
Merge remote-tracking branch 'github-magento2ce/2.3-develop' into MAGETWO-93061v1
2 parents df83632 + 553946c commit f2aeeb8

File tree

573 files changed

+39155
-5087
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

573 files changed

+39155
-5087
lines changed

SECURITY.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
# Reporting Security Issues
2+
3+
Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants.
4+
5+
## Where should I report security issues?
6+
7+
We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento). Please provide us with relevant technical details and repro steps to expedite our investigation. If you prefer not to use HackerOne, email us directly at `psirt@adobe.com` with details and repro steps.
8+
9+
## Learning More About Security
10+
To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,4 @@
2727
}
2828
}
2929
}
30-
</script>
30+
</script>

app/code/Magento/AdvancedSearch/view/adminhtml/templates/system/config/testconnection.phtml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,10 @@
66
// @codingStandardsIgnoreFile
77
?>
88
<button class="scalable" type="button" id="<?= $block->getHtmlId() ?>" data-mage-init='{"testConnection":{
9-
"url": "<?= /* @escapeNotVerified */ $block->getAjaxUrl() ?>",
9+
"url": "<?= $block->escapeUrl($block->getAjaxUrl()) ?>",
1010
"elementId": "<?= $block->getHtmlId() ?>",
11-
"successText": "<?= /* @escapeNotVerified */ __('Successful! Test again?') ?>",
12-
"failedText": "<?= /* @escapeNotVerified */ __('Connection failed! Test again?') ?>",
13-
"fieldMapping": "<?= /* @escapeNotVerified */ $block->getFieldMapping() ?>"}, "validation": {}}'>
11+
"successText": "<?= $block->escapeHtmlAttr(__('Successful! Test again?')) ?>",
12+
"failedText": "<?= $block->escapeHtmlAttr(__('Connection failed! Test again?')) ?>",
13+
"fieldMapping": "<?= /* @noEscape */ $block->getFieldMapping() ?>"}, "validation": {}}'>
1414
<span><span><span id="<?= $block->getHtmlId() ?>_result"><?= $block->escapeHtml($block->getButtonLabel()) ?></span></span></span>
1515
</button>

app/code/Magento/AdvancedSearch/view/frontend/templates/search_data.phtml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -13,13 +13,13 @@
1313
$data = $block->getItems();
1414
if (count($data)):?>
1515
<dl class="block">
16-
<dt class="title"><?= /* @escapeNotVerified */ __($block->getTitle()) ?></dt>
16+
<dt class="title"><?= $block->escapeHtml(__($block->getTitle())) ?></dt>
1717
<?php foreach ($data as $additionalInfo) : ?>
1818
<dd class="item">
19-
<a href="<?= /* @escapeNotVerified */ $block->getLink($additionalInfo->getQueryText()) ?>"
19+
<a href="<?= $block->escapeUrl($block->getLink($additionalInfo->getQueryText())) ?>"
2020
><?= $block->escapeHtml($additionalInfo->getQueryText()) ?></a>
2121
<?php if ($block->isShowResultsCount()): ?>
22-
<span class="count"><?= /* @escapeNotVerified */ $additionalInfo->getResultsCount() ?></span>
22+
<span class="count"><?= /* @noEscape */ (int)$additionalInfo->getResultsCount() ?></span>
2323
<?php endif; ?>
2424
</dd>
2525
<?php endforeach; ?>
Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<!--
3+
/**
4+
* Copyright © Magento, Inc. All rights reserved.
5+
* See COPYING.txt for license details.
6+
*/
7+
-->
8+
9+
<actionGroups xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
10+
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Test/etc/actionGroupSchema.xsd">
11+
<actionGroup name="AssertOrderGraphImageOnDashboardActionGroup">
12+
<click selector="{{AdminDashboardSection.ordersTab}}" stepKey="clickOrdersBtn"/>
13+
<seeElement selector="{{AdminDashboardSection.ordersChart}}" stepKey="seeGraphImage"/>
14+
</actionGroup>
15+
</actionGroups>

app/code/Magento/Backend/Test/Mftf/Page/AdminDashboardPage.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,6 @@
1010
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/PageObject.xsd">
1111
<page name="AdminDashboardPage" url="admin/dashboard/" area="admin" module="Magento_Backend">
1212
<section name="AdminMenuSection"/>
13+
<section name="AdminDashboardSection"/>
1314
</page>
1415
</pages>

app/code/Magento/Backend/Test/Mftf/Section/AdminDashboardSection.xml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@
99
<sections xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
1010
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
1111
<section name="AdminDashboardSection">
12+
<element name="ordersTab" type="button" selector="#diagram_tab_orders"/>
13+
<element name="ordersChart" type="button" selector="#diagram_tab_orders_content .dashboard-diagram-image img"/>
1214
<element name="dashboardDiagramContent" type="button" selector="#diagram_tab_content"/>
1315
<element name="dashboardDiagramOrderContentTab" type="block" selector="#diagram_tab_orders_content"/>
1416
<element name="dashboardDiagramAmounts" type="button" selector="#diagram_tab_amounts"/>

app/code/Magento/Backend/Test/Mftf/Section/AdminSlideOutDialogSection.xml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@
88
<sections xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
99
xsi:noNamespaceSchemaLocation="urn:magento:mftf:Page/etc/SectionObject.xsd">
1010
<section name="AdminSlideOutDialogSection">
11-
<element name="closeButton" type="button" selector=".modal-slide._show [data-role='closeBtn']" timeout="30"/>
11+
<element name="closeButton" type="button" selector=".modal-slide._show [data-role=&quot;closeBtn&quot;]" timeout="30"/>
1212
<element name="cancelButton" type="button" selector="//*[contains(@class, 'modal-slide') and contains(@class, '_show')]//*[contains(@class, 'page-actions')]//button[normalize-space(.)='Cancel']" timeout="30"/>
1313
<element name="doneButton" type="button" selector="//*[contains(@class, 'modal-slide') and contains(@class, '_show')]//*[contains(@class, 'page-actions')]//button[normalize-space(.)='Done']" timeout="30"/>
1414
<element name="saveButton" type="button" selector="//*[contains(@class, 'modal-slide') and contains(@class, '_show')]//*[contains(@class, 'page-actions')]//button[normalize-space(.)='Save']" timeout="30"/>

app/code/Magento/Bundle/Test/Mftf/Test/AdminDeleteBundleDynamicProductTest.xml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,9 @@
1616
<severity value="CRITICAL"/>
1717
<testCaseId value="MC-11016"/>
1818
<group value="mtf_migrated"/>
19+
<skip>
20+
<issueId value="MC-16393"/>
21+
</skip>
1922
</annotations>
2023
<before>
2124
<actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>

app/code/Magento/Bundle/view/adminhtml/templates/catalog/product/edit/tab/attributes/extend.phtml

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -4,8 +4,6 @@
44
* See COPYING.txt for license details.
55
*/
66

7-
// @codingStandardsIgnoreFile
8-
97
/** @var $block \Magento\Bundle\Block\Adminhtml\Catalog\Product\Edit\Tab\Attributes\Extend */
108
$elementHtml = $block->getParentElementHtml();
119

@@ -20,18 +18,18 @@ $isElementReadonly = $block->getElement()
2018
->getReadonly();
2119
?>
2220

23-
<?php if (!($attributeCode === 'price' && $block->getCanReadPrice() === false)): ?>
24-
<div class="<?= /* @escapeNotVerified */ $attributeCode ?> "><?= /* @escapeNotVerified */ $elementHtml ?></div>
21+
<?php if (!($attributeCode === 'price' && $block->getCanReadPrice() === false)) : ?>
22+
<div class="<?= $block->escapeHtmlAttr($attributeCode) ?> "><?= /* @noEscape */ $elementHtml ?></div>
2523
<?php endif; ?>
2624

2725
<?= $block->getExtendedElement($switchAttributeCode)->toHtml() ?>
2826

2927
<?php if (!$isElementReadonly && $block->getDisableChild()) { ?>
3028
<script>
3129
require(['prototype'], function () {
32-
function <?= /* @escapeNotVerified */ $switchAttributeCode ?>_change() {
33-
var $attribute = $('<?= /* @escapeNotVerified */ $attributeCode ?>');
34-
if ($('<?= /* @escapeNotVerified */ $switchAttributeCode ?>').value == '<?= /* @escapeNotVerified */ $block::DYNAMIC ?>') {
30+
function <?= /* @noEscape */ $switchAttributeCode ?>_change() {
31+
var $attribute = $('<?= $block->escapeJs($attributeCode) ?>');
32+
if ($('<?= /* @noEscape */ $switchAttributeCode ?>').value == '<?= $block->escapeJs($block::DYNAMIC) ?>') {
3533
if ($attribute) {
3634
$attribute.disabled = true;
3735
$attribute.value = '';
@@ -43,10 +41,10 @@ $isElementReadonly = $block->getElement()
4341
} else {
4442
if ($attribute) {
4543
<?php if ($attributeCode === 'price' && !$block->getCanEditPrice() && $block->getCanReadPrice()
46-
&& $block->getProduct()->isObjectNew()): ?>
47-
<?php $defaultProductPrice = $block->getDefaultProductPrice() ?: "''"; ?>
48-
$attribute.value = <?= /* @escapeNotVerified */ $defaultProductPrice ?>;
49-
<?php else: ?>
44+
&& $block->getProduct()->isObjectNew()) : ?>
45+
<?php $defaultProductPrice = $block->getDefaultProductPrice() ?: "''"; ?>
46+
$attribute.value = <?= /* @noEscape */ (string)$defaultProductPrice ?>;
47+
<?php else : ?>
5048
$attribute.disabled = false;
5149
$attribute.addClassName('required-entry');
5250
<?php endif; ?>
@@ -58,11 +56,11 @@ $isElementReadonly = $block->getElement()
5856
}
5957

6058
<?php if (!($attributeCode === 'price' && !$block->getCanEditPrice()
61-
&& !$block->getProduct()->isObjectNew())): ?>
62-
$('<?= /* @escapeNotVerified */ $switchAttributeCode ?>').observe('change', <?= /* @escapeNotVerified */ $switchAttributeCode ?>_change);
59+
&& !$block->getProduct()->isObjectNew())) : ?>
60+
$('<?= /* @noEscape */ $switchAttributeCode ?>').observe('change', <?= /* @noEscape */ $switchAttributeCode ?>_change);
6361
<?php endif; ?>
6462
Event.observe(window, 'load', function(){
65-
<?= /* @escapeNotVerified */ $switchAttributeCode ?>_change();
63+
<?= /* @noEscape */ $switchAttributeCode ?>_change();
6664
});
6765
});
6866
</script>

0 commit comments

Comments
 (0)