Merge branch '2.3-develop' of https://github.com/magento/magento2ce into MAGETWO-98825

Author: dhorytskyi

app/code/Magento/AdminNotification/Model/Feed.php

@@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param \Magento\Framework\Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +96,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
+            \Magento\Framework\Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +263,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/Bundle/view/frontend/templates/sales/order/creditmemo/items/renderer.phtml

@@ -67,7 +67,7 @@
     </td>
     <td class="col discount" data-th="<?= $block->escapeHtml(__('Discount Amount')) ?>">
         <?php if ($block->canShowPriceInfo($_item)) : ?>
-            <?= $block->escapeHtml($block->getOrder()->formatPrice(-$_item->getDiscountAmount())) ?>
+            <?= $block->escapeHtml($block->getOrder()->formatPrice(-$_item->getDiscountAmount()), ['span']) ?>
         <?php else : ?>
             &nbsp;
         <?php endif; ?>

app/code/Magento/Catalog/Block/Adminhtml/Product/Edit.php

@@ -12,8 +12,16 @@
  */
 namespace Magento\Catalog\Block\Adminhtml\Product;
 
+/**
+ * Class Edit
+ */
 class Edit extends \Magento\Backend\Block\Widget
 {
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * @var string
      */
@@ -47,6 +55,7 @@ class Edit extends \Magento\Backend\Block\Widget
      * @param \Magento\Eav\Model\Entity\Attribute\SetFactory $attributeSetFactory
      * @param \Magento\Framework\Registry $registry
      * @param \Magento\Catalog\Helper\Product $productHelper
+     * @param \Magento\Framework\Escaper $escaper
      * @param array $data
      */
     public function __construct(
@@ -55,16 +64,20 @@ public function __construct(
         \Magento\Eav\Model\Entity\Attribute\SetFactory $attributeSetFactory,
         \Magento\Framework\Registry $registry,
         \Magento\Catalog\Helper\Product $productHelper,
+        \Magento\Framework\Escaper $escaper,
         array $data = []
     ) {
         $this->_productHelper = $productHelper;
         $this->_attributeSetFactory = $attributeSetFactory;
         $this->_coreRegistry = $registry;
         $this->jsonEncoder = $jsonEncoder;
+        $this->escaper = $escaper;
         parent::__construct($context, $data);
     }
 
     /**
+     * Edit Product constructor
+     *
      * @return void
      */
     protected function _construct()
@@ -144,6 +157,8 @@ protected function _prepareLayout()
     }
 
     /**
+     * Retrieve back button html
+     *
      * @return string
      */
     public function getBackButtonHtml()
@@ -152,6 +167,8 @@ public function getBackButtonHtml()
     }
 
     /**
+     * Retrieve cancel button html
+     *
      * @return string
      */
     public function getCancelButtonHtml()
@@ -160,6 +177,8 @@ public function getCancelButtonHtml()
     }
 
     /**
+     * Retrieve save button html
+     *
      * @return string
      */
     public function getSaveButtonHtml()
@@ -168,6 +187,8 @@ public function getSaveButtonHtml()
     }
 
     /**
+     * Retrieve save and edit button html
+     *
      * @return string
      */
     public function getSaveAndEditButtonHtml()
@@ -176,6 +197,8 @@ public function getSaveAndEditButtonHtml()
     }
 
     /**
+     * Retrieve delete button html
+     *
      * @return string
      */
     public function getDeleteButtonHtml()
@@ -194,6 +217,8 @@ public function getSaveSplitButtonHtml()
     }
 
     /**
+     * Retrieve validation url
+     *
      * @return string
      */
     public function getValidationUrl()
@@ -202,6 +227,8 @@ public function getValidationUrl()
     }
 
     /**
+     * Retrieve save url
+     *
      * @return string
      */
     public function getSaveUrl()
@@ -210,6 +237,8 @@ public function getSaveUrl()
     }
 
     /**
+     * Retrieve save and continue url
+     *
      * @return string
      */
     public function getSaveAndContinueUrl()
@@ -221,6 +250,8 @@ public function getSaveAndContinueUrl()
     }
 
     /**
+     * Retrieve product id
+     *
      * @return mixed
      */
     public function getProductId()
@@ -229,6 +260,8 @@ public function getProductId()
     }
 
     /**
+     * Retrieve product set id
+     *
      * @return mixed
      */
     public function getProductSetId()
@@ -241,6 +274,8 @@ public function getProductSetId()
     }
 
     /**
+     * Retrieve duplicate url
+     *
      * @return string
      */
     public function getDuplicateUrl()
@@ -249,6 +284,8 @@ public function getDuplicateUrl()
     }
 
     /**
+     * Retrieve product header
+     *
      * @deprecated 101.1.0
      * @return string
      */
@@ -263,6 +300,8 @@ public function getHeader()
     }
 
     /**
+     * Get product attribute set name
+     *
      * @return string
      */
     public function getAttributeSetName()
@@ -275,11 +314,14 @@ public function getAttributeSetName()
     }
 
     /**
+     * Retrieve id of selected tab
+     *
      * @return string
      */
     public function getSelectedTabId()
     {
-        return addslashes(htmlspecialchars($this->getRequest()->getParam('tab')));
+        // phpcs:ignore Magento2.Functions.DiscouragedFunction
+        return addslashes($this->escaper->escapeHtml($this->getRequest()->getParam('tab')));
     }
 
     /**

app/code/Magento/Catalog/Test/Mftf/ActionGroup/AdminProductActionGroup.xml

@@ -485,4 +485,8 @@
         <click selector="{{AdminAddUpSellProductsModalSection.AddSelectedProductsButton}}" stepKey="addRelatedProductSelected"/>
         <waitForPageLoad stepKey="waitForPageToLoad1"/>
     </actionGroup>
+    <actionGroup name="AdminSetProductDisabled">
+        <conditionalClick selector="{{AdminProductFormSection.enableProductLabel}}" dependentSelector="{{AdminProductFormSection.productStatusValue('1')}}" visible="true" stepKey="disableProduct"/>
+        <seeElement selector="{{AdminProductFormSection.productStatusValue('2')}}" stepKey="assertThatProductSetToDisabled"/>
+    </actionGroup>
 </actionGroups>

app/code/Magento/Catalog/Test/Mftf/Section/AdminProductFormSection.xml

@@ -21,6 +21,7 @@
         <element name="enableProductAttributeLabel" type="text" selector="//span[text()='Enable Product']/parent::label"/>
         <element name="enableProductAttributeLabelWrapper" type="text" selector="//span[text()='Enable Product']/parent::label/parent::div"/>
         <element name="productStatus" type="checkbox" selector="input[name='product[status]']"/>
+        <element name="productStatusValue" type="checkbox" selector="input[name='product[status]'][value='{{value}}']" timeout="30" parameterized="true"/>
         <element name="productStatusDisabled" type="checkbox" selector="input[name='product[status]'][disabled]"/>
         <element name="enableProductLabel" type="checkbox" selector="input[name='product[status]']+label"/>
         <element name="productStatusUseDefault" type="checkbox" selector="input[name='use_default[status]']"/>

app/code/Magento/Catalog/view/frontend/templates/product/view/details.phtml

@@ -26,7 +26,7 @@
                        data-toggle="trigger"
                        href="#<?= $block->escapeUrl($alias) ?>"
                        id="tab-label-<?= $block->escapeHtmlAttr($alias) ?>-title">
-                        <?= $block->escapeHtml($label) ?>
+                        <?= /* @noEscape */ $label ?>
                     </a>
                 </div>
                 <div class="data item content"

app/code/Magento/CatalogInventory/Model/Quote/Item/QuantityValidator/Initializer/StockItem.php

@@ -7,8 +7,15 @@
 
 use Magento\Catalog\Model\ProductTypes\ConfigInterface;
 use Magento\CatalogInventory\Api\StockStateInterface;
+use Magento\CatalogInventory\Api\Data\StockItemInterface;
 use Magento\CatalogInventory\Model\Quote\Item\QuantityValidator\QuoteItemQtyList;
+use Magento\CatalogInventory\Model\Spi\StockStateProviderInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Quote\Model\Quote\Item;
 
+/**
+ * Class StockItem initializes stock item and populates it with data
+ */
 class StockItem
 {
     /**
@@ -26,26 +33,35 @@ class StockItem
      */
     protected $stockState;
 
+    /**
+     * @var StockStateProviderInterface
+     */
+    private $stockStateProvider;
+
     /**
      * @param ConfigInterface $typeConfig
      * @param QuoteItemQtyList $quoteItemQtyList
      * @param StockStateInterface $stockState
+     * @param StockStateProviderInterface|null $stockStateProvider
      */
     public function __construct(
         ConfigInterface $typeConfig,
         QuoteItemQtyList $quoteItemQtyList,
-        StockStateInterface $stockState
+        StockStateInterface $stockState,
+        StockStateProviderInterface $stockStateProvider = null
     ) {
         $this->quoteItemQtyList = $quoteItemQtyList;
         $this->typeConfig = $typeConfig;
         $this->stockState = $stockState;
+        $this->stockStateProvider = $stockStateProvider ?: ObjectManager::getInstance()
+            ->get(StockStateProviderInterface::class);
     }
 
     /**
      * Initialize stock item
      *
-     * @param \Magento\CatalogInventory\Api\Data\StockItemInterface $stockItem
-     * @param \Magento\Quote\Model\Quote\Item $quoteItem
+     * @param StockItemInterface $stockItem
+     * @param Item $quoteItem
      * @param int $qty
      *
      * @return \Magento\Framework\DataObject
@@ -54,11 +70,14 @@ public function __construct(
      * @SuppressWarnings(PHPMD.NPathComplexity)
      */
     public function initialize(
-        \Magento\CatalogInventory\Api\Data\StockItemInterface $stockItem,
-        \Magento\Quote\Model\Quote\Item $quoteItem,
+        StockItemInterface $stockItem,
+        Item $quoteItem,
         $qty
     ) {
         $product = $quoteItem->getProduct();
+        $quoteItemId = $quoteItem->getId();
+        $quoteId = $quoteItem->getQuoteId();
+        $productId = $product->getId();
         /**
          * When we work with subitem
          */
@@ -68,14 +87,14 @@ public function initialize(
              * we are using 0 because original qty was processed
              */
             $qtyForCheck = $this->quoteItemQtyList
-                ->getQty($product->getId(), $quoteItem->getId(), $quoteItem->getQuoteId(), 0);
+                ->getQty($productId, $quoteItemId, $quoteId, 0);
         } else {
             $increaseQty = $quoteItem->getQtyToAdd() ? $quoteItem->getQtyToAdd() : $qty;
             $rowQty = $qty;
             $qtyForCheck = $this->quoteItemQtyList->getQty(
-                $product->getId(),
-                $quoteItem->getId(),
-                $quoteItem->getQuoteId(),
+                $productId,
+                $quoteItemId,
+                $quoteId,
                 $increaseQty
             );
         }
@@ -90,14 +109,20 @@ public function initialize(
 
         $stockItem->setProductName($product->getName());
 
+        /** @var \Magento\Framework\DataObject $result */
         $result = $this->stockState->checkQuoteItemQty(
-            $product->getId(),
+            $productId,
             $rowQty,
             $qtyForCheck,
             $qty,
             $product->getStore()->getWebsiteId()
         );
 
+        /* We need to ensure that any possible plugin will not erase the data */
+        $backOrdersQty = $this->stockStateProvider->checkQuoteItemQty($stockItem, $rowQty, $qtyForCheck, $qty)
+            ->getItemBackorders();
+        $result->setItemBackorders($backOrdersQty);
+
         if ($stockItem->hasIsChildItem()) {
             $stockItem->unsIsChildItem();
         }