Merge pull request magento#4263 from magento-borg/borg-2.3

[borg] Fixes

Author: nathanjosiah

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml

@@ -27,4 +27,4 @@
             }
         }
     }
-</script>
+</script>

app/code/Magento/AdvancedSearch/view/adminhtml/templates/system/config/testconnection.phtml

@@ -6,10 +6,10 @@
 // @codingStandardsIgnoreFile
 ?>
 <button class="scalable" type="button" id="<?= $block->getHtmlId() ?>" data-mage-init='{"testConnection":{
-    "url": "<?= /* @escapeNotVerified */ $block->getAjaxUrl() ?>",
+    "url": "<?= $block->escapeUrl($block->getAjaxUrl()) ?>",
     "elementId": "<?= $block->getHtmlId() ?>",
-    "successText": "<?= /* @escapeNotVerified */ __('Successful! Test again?') ?>",
-    "failedText": "<?= /* @escapeNotVerified */ __('Connection failed! Test again?') ?>",
-    "fieldMapping": "<?= /* @escapeNotVerified */ $block->getFieldMapping() ?>"}, "validation": {}}'>
+    "successText": "<?= $block->escapeHtmlAttr(__('Successful! Test again?')) ?>",
+    "failedText": "<?= $block->escapeHtmlAttr(__('Connection failed! Test again?')) ?>",
+    "fieldMapping": "<?= /* @noEscape */ $block->getFieldMapping() ?>"}, "validation": {}}'>
     <span><span><span id="<?= $block->getHtmlId() ?>_result"><?= $block->escapeHtml($block->getButtonLabel()) ?></span></span></span>
 </button>

app/code/Magento/AdvancedSearch/view/frontend/templates/search_data.phtml

@@ -13,13 +13,13 @@
 $data = $block->getItems();
 if (count($data)):?>
     <dl class="block">
-        <dt class="title"><?= /* @escapeNotVerified */ __($block->getTitle()) ?></dt>
+        <dt class="title"><?= $block->escapeHtml(__($block->getTitle())) ?></dt>
         <?php foreach ($data as $additionalInfo) : ?>
             <dd class="item">
-                <a href="<?= /* @escapeNotVerified */ $block->getLink($additionalInfo->getQueryText()) ?>"
+                <a href="<?= $block->escapeUrl($block->getLink($additionalInfo->getQueryText())) ?>"
                     ><?= $block->escapeHtml($additionalInfo->getQueryText()) ?></a>
                 <?php if ($block->isShowResultsCount()): ?>
-                    <span class="count"><?= /* @escapeNotVerified */ $additionalInfo->getResultsCount() ?></span>
+                    <span class="count"><?= /* @noEscape */ (int)$additionalInfo->getResultsCount() ?></span>
                 <?php endif; ?>
             </dd>
         <?php endforeach; ?>

app/code/Magento/Bundle/view/adminhtml/templates/catalog/product/edit/tab/attributes/extend.phtml

@@ -4,8 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
 /** @var $block \Magento\Bundle\Block\Adminhtml\Catalog\Product\Edit\Tab\Attributes\Extend */
 $elementHtml = $block->getParentElementHtml();
 
@@ -20,18 +18,18 @@ $isElementReadonly = $block->getElement()
     ->getReadonly();
 ?>
 
-<?php if (!($attributeCode === 'price' && $block->getCanReadPrice() === false)): ?>
-    <div class="<?= /* @escapeNotVerified */  $attributeCode ?> "><?= /* @escapeNotVerified */  $elementHtml ?></div>
+<?php if (!($attributeCode === 'price' && $block->getCanReadPrice() === false)) : ?>
+    <div class="<?= $block->escapeHtmlAttr($attributeCode) ?> "><?= /* @noEscape */ $elementHtml ?></div>
 <?php endif; ?>
 
 <?= $block->getExtendedElement($switchAttributeCode)->toHtml() ?>
 
 <?php if (!$isElementReadonly && $block->getDisableChild()) { ?>
     <script>
         require(['prototype'], function () {
-            function <?= /* @escapeNotVerified */ $switchAttributeCode ?>_change() {
-                var $attribute = $('<?= /* @escapeNotVerified */ $attributeCode ?>');
-                if ($('<?= /* @escapeNotVerified */ $switchAttributeCode ?>').value == '<?= /* @escapeNotVerified */ $block::DYNAMIC ?>') {
+            function <?= /* @noEscape */ $switchAttributeCode ?>_change() {
+                var $attribute = $('<?= $block->escapeJs($attributeCode) ?>');
+                if ($('<?= /* @noEscape */ $switchAttributeCode ?>').value == '<?= $block->escapeJs($block::DYNAMIC) ?>') {
                     if ($attribute) {
                         $attribute.disabled = true;
                         $attribute.value = '';
@@ -43,10 +41,10 @@ $isElementReadonly = $block->getElement()
                 } else {
                     if ($attribute) {
                         <?php if ($attributeCode === 'price' && !$block->getCanEditPrice() && $block->getCanReadPrice()
-                                && $block->getProduct()->isObjectNew()): ?>
-                            <?php $defaultProductPrice = $block->getDefaultProductPrice() ?: "''"; ?>
-                            $attribute.value = <?= /* @escapeNotVerified */ $defaultProductPrice ?>;
-                        <?php else: ?>
+                                && $block->getProduct()->isObjectNew()) : ?>
+                                        <?php $defaultProductPrice = $block->getDefaultProductPrice() ?: "''"; ?>
+                            $attribute.value = <?= /* @noEscape */ (string)$defaultProductPrice ?>;
+                        <?php else : ?>
                             $attribute.disabled = false;
                             $attribute.addClassName('required-entry');
                         <?php endif; ?>
@@ -58,11 +56,11 @@ $isElementReadonly = $block->getElement()
             }
 
             <?php if (!($attributeCode === 'price' && !$block->getCanEditPrice()
-                    && !$block->getProduct()->isObjectNew())): ?>
-                $('<?= /* @escapeNotVerified */ $switchAttributeCode ?>').observe('change', <?= /* @escapeNotVerified */ $switchAttributeCode ?>_change);
+                    && !$block->getProduct()->isObjectNew())) : ?>
+                $('<?= /* @noEscape */ $switchAttributeCode ?>').observe('change', <?= /* @noEscape */ $switchAttributeCode ?>_change);
             <?php endif; ?>
             Event.observe(window, 'load', function(){
-                <?= /* @escapeNotVerified */ $switchAttributeCode ?>_change();
+                <?= /* @noEscape */ $switchAttributeCode ?>_change();
             });
         });
     </script>

app/code/Magento/Bundle/view/adminhtml/templates/product/composite/fieldset/options/bundle.phtml

@@ -3,17 +3,16 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 
 <?php /* @var $block \Magento\Bundle\Block\Adminhtml\Catalog\Product\Composite\Fieldset\Bundle */ ?>
 <?php $options = $block->decorateArray($block->getOptions(true)); ?>
-<?php if (count($options)): ?>
+<?php if (count($options)) : ?>
 <fieldset id="catalog_product_composite_configure_fields_bundle"
           class="fieldset admin__fieldset composite-bundle<?= $block->getIsLastFieldset() ? ' last-fieldset' : '' ?>">
-    <legend class="legend admin__legend"><span><?= /* @escapeNotVerified */ __('Bundle Items') ?></span></legend><br />
+    <legend class="legend admin__legend">
+        <span><?= $block->escapeHtml(__('Bundle Items')) ?></span>
+    </legend><br />
     <?php foreach ($options as $option) : ?>
         <?php if ($option->getSelections()) : ?>
             <?= $block->getOptionHtml($option) ?>
@@ -71,7 +70,7 @@ require([
             }
         }
     };
-    ProductConfigure.bundleControl = new BundleControl(<?= /* @escapeNotVerified */ $block->getJsonConfig() ?>);
+    ProductConfigure.bundleControl = new BundleControl(<?= /* @noEscape */ $block->getJsonConfig() ?>);
 });
 </script>
 

app/code/Magento/Bundle/view/adminhtml/templates/product/composite/fieldset/options/type/checkbox.phtml

@@ -3,60 +3,58 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
+// phpcs:disable Magento2.Templates.ThisInTemplate.FoundThis
 ?>
 <?php /* @var $block \Magento\Bundle\Block\Adminhtml\Catalog\Product\Composite\Fieldset\Options\Type\Checkbox */ ?>
 <?php $_option = $block->getOption(); ?>
 <?php $_selections = $_option->getSelections(); ?>
-<?php $_skipSaleableCheck = $this->helper('Magento\Catalog\Helper\Product')->getSkipSaleableCheck(); ?>
+<?php $_skipSaleableCheck = $this->helper(Magento\Catalog\Helper\Product::class)->getSkipSaleableCheck(); ?>
 
-<div class="field admin__field options<?php if ($_option->getRequired()) echo ' required _required' ?>">
+<div class="field admin__field options<?php if ($_option->getRequired()) { echo ' required _required'; } ?>">
     <label class="label admin__field-label">
         <span><?= $block->escapeHtml($_option->getTitle()) ?></span>
     </label>
 
     <div class="control admin__field-control">
-        <div class="nested <?php if ($_option->getDecoratedIsLast()):?> last<?php endif;?>">
+        <div class="nested <?php if ($_option->getDecoratedIsLast()) :?> last<?php endif;?>">
 
-            <?php if (count($_selections) == 1 && $_option->getRequired()): ?>
-                <?= /* @escapeNotVerified */ $block->getSelectionQtyTitlePrice($_selections[0]) ?>
+            <?php if (count($_selections) == 1 && $_option->getRequired()) : ?>
+                <?= /* @noEscape */ $block->getSelectionQtyTitlePrice($_selections[0]) ?>
                 <input type="hidden"
-                       name="bundle_option[<?= /* @escapeNotVerified */ $_option->getId() ?>]"
-                       value="<?= /* @escapeNotVerified */ $_selections[0]->getSelectionId() ?>"
-                       price="<?= /* @escapeNotVerified */ $block->getSelectionPrice($_selections[0]) ?>" />
-            <?php else:?>
+                       name="bundle_option[<?= $block->escapeHtmlAttr($_option->getId()) ?>]"
+                       value="<?= $block->escapeHtmlAttr($_selections[0]->getSelectionId()) ?>"
+                       price="<?= $block->escapeHtmlAttr($block->getSelectionPrice($_selections[0])) ?>" />
+            <?php else :?>
 
-                <?php foreach ($_selections as $_selection): ?>
+                <?php foreach ($_selections as $_selection) : ?>
                     <div class="field choice admin__field admin__field-option">
                         <input
-                            class="change-container-classname admin__control-checkbox checkbox bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?> <?php if ($_option->getRequired()) echo 'validate-one-required-by-name' ?>"
-                            id="bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?>-<?= /* @escapeNotVerified */ $_selection->getSelectionId() ?>"
+                            class="change-container-classname admin__control-checkbox checkbox bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?> <?php if ($_option->getRequired()) { echo 'validate-one-required-by-name'; } ?>"
+                            id="bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?>-<?= $block->escapeHtmlAttr($_selection->getSelectionId()) ?>"
                             type="checkbox"
-                            name="bundle_option[<?= /* @escapeNotVerified */ $_option->getId() ?>][<?= /* @escapeNotVerified */ $_selection->getId() ?>]"
-                            <?php if ($block->isSelected($_selection)):?>
+                            name="bundle_option[<?= $block->escapeHtmlAttr($_option->getId()) ?>][<?= $block->escapeHtmlAttr($_selection->getId()) ?>]"
+                            <?php if ($block->isSelected($_selection)) :?>
                                 <?= ' checked="checked"' ?>
                             <?php endif;?>
-                            <?php if (!$_selection->isSaleable() && !$_skipSaleableCheck):?>
+                            <?php if (!$_selection->isSaleable() && !$_skipSaleableCheck) :?>
                                 <?= ' disabled="disabled"' ?>
                             <?php endif;?>
-                            value="<?= /* @escapeNotVerified */ $_selection->getSelectionId() ?>"
+                            value="<?= $block->escapeHtmlAttr($_selection->getSelectionId()) ?>"
                             onclick="ProductConfigure.bundleControl.changeSelection(this)"
-                            price="<?= /* @escapeNotVerified */ $block->getSelectionPrice($_selection) ?>" />
+                            price="<?= $block->escapeHtmlAttr($block->getSelectionPrice($_selection)) ?>" />
 
                         <label class="admin__field-label"
-                               for="bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?>-<?= /* @escapeNotVerified */ $_selection->getSelectionId() ?>">
-                            <span><?= /* @escapeNotVerified */ $block->getSelectionQtyTitlePrice($_selection) ?></span>
+                               for="bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?>-<?= $block->escapeHtmlAttr($_selection->getSelectionId()) ?>">
+                            <span><?= /* @noEscape */ $block->getSelectionQtyTitlePrice($_selection) ?></span>
                         </label>
 
-                        <?php if ($_option->getRequired()): ?>
-                            <?= /* @escapeNotVerified */ $block->setValidationContainer('bundle-option-' . $_option->getId() . '-' . $_selection->getSelectionId(), 'bundle-option-' . $_option->getId() . '-container') ?>
+                        <?php if ($_option->getRequired()) : ?>
+                            <?=  /* @noEscape */ $block->setValidationContainer('bundle-option-' . $_option->getId() . '-' . $_selection->getSelectionId(), 'bundle-option-' . $_option->getId() . '-container') ?>
                         <?php endif;?>
                     </div>
                 <?php endforeach; ?>
 
-                <div id="bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?>-container"></div>
+                <div id="bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?>-container"></div>
             <?php endif; ?>
         </div>
     </div>

app/code/Magento/Bundle/view/adminhtml/templates/product/composite/fieldset/options/type/multi.phtml

@@ -3,32 +3,34 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
+// phpcs:disable Magento2.Templates.ThisInTemplate.FoundThis
 ?>
 <?php /* @var $block \Magento\Bundle\Block\Adminhtml\Catalog\Product\Composite\Fieldset\Options\Type\Multi */ ?>
 <?php $_option = $block->getOption(); ?>
 <?php $_selections = $_option->getSelections(); ?>
-<?php $_skipSaleableCheck = $this->helper('Magento\Catalog\Helper\Product')->getSkipSaleableCheck(); ?>
-<div class="field admin__field <?php if ($_option->getRequired()) echo ' required' ?><?php if ($_option->getDecoratedIsLast()):?> last<?php endif; ?>">
+<?php $_skipSaleableCheck = $this->helper(Magento\Catalog\Helper\Product::class)->getSkipSaleableCheck(); ?>
+<div class="field admin__field <?php if ($_option->getRequired()) { echo ' required'; } ?><?php if ($_option->getDecoratedIsLast()) :?> last<?php endif; ?>">
     <label class="label admin__field-label"><span><?= $block->escapeHtml($_option->getTitle()) ?></span></label>
     <div class="control admin__field-control">
-        <?php if (count($_selections) == 1 && $_option->getRequired()): ?>
-            <?= /* @escapeNotVerified */ $block->getSelectionQtyTitlePrice($_selections[0]) ?>
-            <input type="hidden" name="bundle_option[<?= /* @escapeNotVerified */ $_option->getId() ?>]"
-                   value="<?= /* @escapeNotVerified */ $_selections[0]->getSelectionId() ?>"
-                   price="<?= /* @escapeNotVerified */ $block->getSelectionPrice($_selections[0]) ?>" />
-        <?php else: ?>
-            <select multiple="multiple" size="5" id="bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?>"
-                    name="bundle_option[<?= /* @escapeNotVerified */ $_option->getId() ?>][]"
-                    class="admin__control-multiselect bundle-option-<?= /* @escapeNotVerified */ $_option->getId() ?><?php if ($_option->getRequired()) echo ' required-entry' ?> multiselect change-container-classname"
+        <?php if (count($_selections) == 1 && $_option->getRequired()) : ?>
+            <?= /* @noEscape */ $block->getSelectionQtyTitlePrice($_selections[0]) ?>
+            <input type="hidden" name="bundle_option[<?= $block->escapeHtmlAttr($_option->getId()) ?>]"
+                   value="<?= $block->escapeHtmlAttr($_selections[0]->getSelectionId()) ?>"
+                   price="<?= $block->escapeHtmlAttr($block->getSelectionPrice($_selections[0])) ?>" />
+        <?php else : ?>
+            <select multiple="multiple" size="5" id="bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?>"
+                    name="bundle_option[<?= $block->escapeHtmlAttr($_option->getId()) ?>][]"
+                    class="admin__control-multiselect bundle-option-<?= $block->escapeHtmlAttr($_option->getId()) ?><?php if ($_option->getRequired()) { echo ' required-entry'; } ?> multiselect change-container-classname"
                     onchange="ProductConfigure.bundleControl.changeSelection(this)">
-            <?php if(!$_option->getRequired()): ?>
-                <option value=""><?= /* @escapeNotVerified */ __('None') ?></option>
+            <?php if (!$_option->getRequired()) : ?>
+                <option value=""><?= $block->escapeHtml(__('None')) ?></option>
             <?php endif; ?>
-            <?php foreach ($_selections as $_selection): ?>
-                <option value="<?= /* @escapeNotVerified */ $_selection->getSelectionId() ?>"<?php if ($block->isSelected($_selection)) echo ' selected="selected"' ?><?php if (!$_selection->isSaleable() && !$_skipSaleableCheck) echo ' disabled="disabled"' ?> price="<?= /* @escapeNotVerified */ $block->getSelectionPrice($_selection) ?>"><?= /* @escapeNotVerified */ $block->getSelectionQtyTitlePrice($_selection, false) ?></option>
+            <?php foreach ($_selections as $_selection) : ?>
+                <option value="<?= $block->escapeHtmlAttr($_selection->getSelectionId()) ?>"
+                    <?php if ($block->isSelected($_selection)) { echo ' selected="selected"'; } ?>
+                    <?php if (!$_selection->isSaleable() && !$_skipSaleableCheck) { echo ' disabled="disabled"'; } ?>
+                    price="<?= $block->escapeHtmlAttr($block->getSelectionPrice($_selection)) ?>">
+                    <?= /* @noEscape */ $block->getSelectionQtyTitlePrice($_selection, false) ?></option>
             <?php endforeach; ?>
             </select>
         <?php endif; ?>