Merge remote-tracking branch 'origin/MAGETWO-98235' into borg-qwerty-2.1

Author: nathanjosiah

app/code/Magento/Customer/etc/adminhtml/system.xml

@@ -261,6 +261,7 @@
                 </field>
                 <field id="html" type="textarea" sortOrder="3" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>HTML</label>
+                    <comment>Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed</comment>
                 </field>
                 <field id="pdf" type="textarea" sortOrder="4" showInDefault="1" showInWebsite="1" showInStore="1" canRestore="1">
                     <label>PDF</label>

app/code/Magento/Customer/i18n/en_US.csv

@@ -480,6 +480,7 @@ Password:,Password:
 "Address Templates","Address Templates"
 "Online Customers Options","Online Customers Options"
 "Online Minutes Interval","Online Minutes Interval"
+"Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed","Only 'b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul' tags are allowed"
 "Leave empty for default (15 minutes).","Leave empty for default (15 minutes)."
 "Enable Autocomplete on login/forgot password forms","Enable Autocomplete on login/forgot password forms"
 "Customer Grid","Customer Grid"

app/code/Magento/Customer/view/adminhtml/templates/tab/view/personal_info.phtml

@@ -15,6 +15,7 @@ $lastLoginDateStore = $block->getStoreLastLoginDate();
 
 $createDateAdmin = $block->getCreateDate();
 $createDateStore = $block->getStoreCreateDate();
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 
 <div class="fieldset-wrapper customer-information">
@@ -65,7 +66,7 @@ $createDateStore = $block->getStoreCreateDate();
     <address>
         <strong><?php echo $block->escapeHtml(__('Default Billing Address')) ?></strong>
         <br/>
-        <?php echo $block->getBillingAddressHtml() ?>
+        <?php echo $block->escapeHtml($block->getBillingAddressHtml(), $allowedAddressHtmlTags) ?>
     </address>
 
 </div>

app/code/Magento/Sales/view/adminhtml/templates/order/view/info.phtml

@@ -24,6 +24,7 @@ $orderStoreDate = $block->formatDate(
     true,
     $block->getTimezoneForStore($order->getStore())
 );
+$allowedAddressHtmlTags = ['b', 'br', 'em', 'i', 'li', 'ol', 'p', 'strong', 'sub', 'sup', 'ul'];
 ?>
 
 <section class="admin__page-section order-view-account-information">
@@ -168,7 +169,7 @@ $orderStoreDate = $block->formatDate(
                 <span class="title"><?php echo $block->escapeHtml(__('Billing Address')) ?></span>
                 <div class="actions"><?php /* @noEscape */ echo $block->getAddressEditLink($order->getBillingAddress()); ?></div>
             </div>
-            <address class="admin__page-section-item-content"><?php /* @noEscape */ echo $block->getFormattedAddress($order->getBillingAddress()); ?></address>
+            <address class="admin__page-section-item-content"><?php echo $block->escapeHtml($block->getFormattedAddress($order->getBillingAddress()), $allowedAddressHtmlTags); ?></address>
         </div>
         <?php if (!$block->getOrder()->getIsVirtual()): ?>
             <div class="admin__page-section-item order-shipping-address">
@@ -177,7 +178,7 @@ $orderStoreDate = $block->formatDate(
                     <span class="title"><?php echo $block->escapeHtml(__('Shipping Address')) ?></span>
                     <div class="actions"><?php /* @noEscape */ echo $block->getAddressEditLink($order->getShippingAddress()); ?></div>
                 </div>
-                <address class="admin__page-section-item-content"><?php /* @noEscape */ echo $block->getFormattedAddress($order->getShippingAddress()); ?></address>
+                <address class="admin__page-section-item-content"><?php echo $block->escapeHtml($block->getFormattedAddress($order->getShippingAddress()), $allowedAddressHtmlTags); ?></address>
             </div>
         <?php endif; ?>
     </div>