Merge branch 'develop' of github.com:magento/magento2ce into bugs

Author: omiroshnichenko

app/code/Magento/Bundle/Helper/Catalog/Product/Configuration.php

@@ -142,6 +142,7 @@ public function getBundleOptions(ItemInterface $item)
                                     . $this->pricingHelper->currency(
                                         $this->getSelectionFinalPrice($item, $bundleSelection)
                                     );
+                                $option['has_html'] = true;
                             }
                         }
 

app/code/Magento/Bundle/Test/Unit/Helper/Catalog/Product/ConfigurationTest.php

@@ -164,6 +164,9 @@ public function testGetBundleOptionsEmptyBundleSelectionIds()
         $this->assertEquals([], $this->helper->getBundleOptions($this->item));
     }
 
+    /**
+     * @SuppressWarnings(PHPMD.ExcessiveMethodLength)
+     */
     public function testGetOptions()
     {
         $optionIds = 'a:1:{i:0;i:1;}';
@@ -254,8 +257,12 @@ public function testGetOptions()
 
         $this->assertEquals(
             [
-                0 => ['label' => 'title', 'value' => [0 => '1 x name <span class="price">$15.00</span>']],
-                1 => ['label' => 'title', 'value' => 'value'],
+                [
+                    'label' => 'title',
+                    'value' => ['1 x name <span class="price">$15.00</span>'],
+                    'has_html' => true,
+                ],
+                ['label' => 'title', 'value' => 'value'],
             ],
             $this->helper->getOptions($this->item)
         );

app/code/Magento/Captcha/view/adminhtml/templates/default.phtml

@@ -19,7 +19,7 @@
             id="captcha"
             class="admin__control-text"
             type="text"
-            name="<?php /* @escapeNotVerified */ echo \Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE ?>[<?php /* @escapeNotVerified */ echo $block->getFormId()?>]"
+            name="<?php echo $block->escapeHtmlAttr(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE) ?>[<?php echo $block->escapeHtml($block->getFormId())?>]"
             data-validate="{required:true}"/>
         <?php if ($captcha->isCaseSensitive()) :?>
             <div class="admin__field-note">
@@ -32,19 +32,19 @@
     <img
         id="captcha-reload"
         class="captcha-reload"
-        src="<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('Magento_Captcha::reload.png') ?>"
+        src="<?php echo $block->escapeUrl($block->getViewFileUrl('Magento_Captcha::reload.png')) ?>"
         alt="<?php /* @escapeNotVerified */ echo __('Reload captcha') ?>"/>
     <img
-        id="<?php /* @escapeNotVerified */ echo $block->getFormId() ?>"
-        width="<?php /* @escapeNotVerified */ echo $block->getImgWidth() ?>"
-        height="<?php /* @escapeNotVerified */ echo $block->getImgHeight() ?>"
-        src="<?php /* @escapeNotVerified */ echo $captcha->getImgSrc() ?>" />
+        id="<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>"
+        width="<?php /* @noEscape */ echo (float) $block->getImgWidth() ?>"
+        height="<?php /* @noEscape */ echo (float) $block->getImgHeight() ?>"
+        src="<?php echo $block->escapeUrl($captcha->getImgSrc()) ?>" />
 </div>
 <script>
     require(["prototype", "mage/captcha"], function(){
 
 //<![CDATA[
-        var captcha = new Captcha('<?php /* @escapeNotVerified */ echo $block->getRefreshUrl() ?>', '<?php /* @escapeNotVerified */ echo $block->getFormId() ?>');
+        var captcha = new Captcha('<?php echo $block->escapeUrl($block->getRefreshUrl()) ?>', '<?php echo $block->escapeJs($block->getFormId()) ?>');
 
         $('captcha-reload').observe('click', function () {
             captcha.refresh(this);

app/code/Magento/Captcha/view/frontend/templates/default.phtml

@@ -10,19 +10,19 @@
 <?php /* @var $captcha \Magento\Captcha\Model\DefaultModel */ ?>
 <?php /* @var $block \Magento\Captcha\Block\Captcha\DefaultCaptcha */ ?>
 <?php $captcha = $block->getCaptchaModel() ?>
-<div class="field captcha required" role="<?php /* @escapeNotVerified */ echo $block->getFormId()?>">
-    <label for="captcha_<?php /* @escapeNotVerified */ echo $block->getFormId() ?>" class="label"><span><?php /* @escapeNotVerified */ echo __('Please type the letters below')?></span></label>
+<div class="field captcha required" role="<?php echo $block->escapeHtmlAttr($block->getFormId())?>">
+    <label for="captcha_<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>" class="label"><span><?php /* @escapeNotVerified */ echo __('Please type the letters below')?></span></label>
     <div class="control captcha">
-        <input name="<?php /* @escapeNotVerified */ echo \Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE ?>[<?php /* @escapeNotVerified */ echo $block->getFormId()?>]" type="text" class="input-text required-entry" data-validate="{required:true}" id="captcha_<?php /* @escapeNotVerified */ echo $block->getFormId() ?>" />
+        <input name="<?php echo $block->escapeHtmlAttr(\Magento\Captcha\Helper\Data::INPUT_NAME_FIELD_VALUE) ?>[<?php echo $block->escapeHtmlAttr($block->getFormId())?>]" type="text" class="input-text required-entry" data-validate="{required:true}" id="captcha_<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>" />
         <div class="nested">
             <div class="field captcha no-label"
-                 data-captcha="<?php /* @escapeNotVerified */ echo $block->getFormId()?>"
-                 id="captcha-container-<?php /* @escapeNotVerified */ echo $block->getFormId()?>"
-                 data-mage-init='{"captcha":{"url": "<?php /* @escapeNotVerified */ echo $block->getRefreshUrl()?>",
-                                            "imageLoader": "<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('images/loader-2.gif') ?>",
-                                             "type": "<?php /* @escapeNotVerified */ echo $block->getFormId() ?>"}}'>
+                 data-captcha="<?php echo $block->escapeHtmlAttr($block->getFormId())?>"
+                 id="captcha-container-<?php echo $block->escapeHtmlAttr($block->getFormId())?>"
+                 data-mage-init='{"captcha":{"url": "<?php echo $block->escapeUrl($block->getRefreshUrl())?>",
+                                            "imageLoader": "<?php echo $block->escapeUrl($block->getViewFileUrl('images/loader-2.gif')) ?>",
+                                             "type": "<?php echo $block->escapeHtmlAttr($block->getFormId()) ?>"}}'>
                 <div class="control captcha-image">
-                    <img alt="<?php /* @escapeNotVerified */ echo __('Please type the letters below')?>" class="captcha-img" height="<?php /* @escapeNotVerified */ echo $block->getImgHeight() ?>" src="<?php /* @escapeNotVerified */ echo $captcha->getImgSrc() ?>"/>
+                    <img alt="<?php /* @escapeNotVerified */ echo __('Please type the letters below')?>" class="captcha-img" height="<?php /* @noEscape */ echo (float) $block->getImgHeight() ?>" src="<?php echo $block->escapeUrl($captcha->getImgSrc()) ?>"/>
                     <button type="button" class="action reload captcha-reload" title="<?php /* @escapeNotVerified */ echo __('Reload captcha') ?>"><span><?php /* @escapeNotVerified */ echo __('Reload captcha') ?></span></button>
                 </div>
             </div>

app/code/Magento/Catalog/Block/Adminhtml/Category/Widget/Chooser.php

@@ -121,7 +121,7 @@ function (node, e) {
                 }
             ';
         } else {
-            $chooserJsObject = $this->getId();
+            $chooserJsObject = $this->escapeJs($this->getId());
             $js = '
                 function (node, e) {
                     ' .

app/code/Magento/Catalog/Block/Adminhtml/Product/Widget/Chooser.php

@@ -202,7 +202,7 @@ function (node, e) {
                 {jsObject}.categoryName = node.attributes.id != "none" ? node.text : false;
             }
         ';
-        $js = str_replace('{jsObject}', $this->getJsObjectName(), $js);
+        $js = str_replace('{jsObject}', $this->escapeJs($this->getJsObjectName()), $js);
         return $js;
     }
 

app/code/Magento/CatalogWidget/view/adminhtml/templates/product/widget/conditions.phtml

@@ -6,16 +6,17 @@
 
 // @codingStandardsIgnoreFile
 
-?>
-<?php
+/** @var \Magento\CatalogWidget\Block\Product\Widget\Conditions $block */
+
 $element = $block->getElement();
-$fieldId = ($element->getHtmlContainerId()) ? ' id="' . $element->getHtmlContainerId() . '"' : '';
-$fieldClass = "field admin__field field-{$element->getId()} {$element->getCssClass()}";
-$fieldClass .= ($element->getRequired()) ? ' required' : '';
-$fieldAttributes = $fieldId . ' class="' . $fieldClass . '" ' . $block->getUiId('form-field', $element->getId());
+$fieldId = $element->getHtmlContainerId() ? ' id="' . $block->escapeHtmlAttr($element->getHtmlContainerId()) . '"' : '';
+$fieldClass = 'field admin__field field-' . $block->escapeHtmlAttr($element->getId()) . ' '
+    . $block->escapeHtmlAttr($element->getCssClass());
+$fieldClass .= $element->getRequired() ? ' required' : '';
+$fieldAttributes = $fieldId . ' class="' . $fieldClass . '" '
+    . $block->getUiId('form-field', $block->escapeHtmlAttr($element->getId()));
 ?>
-
-<div<?php /* @escapeNotVerified */ echo $fieldAttributes ?>>
+<div<?php /* @noEscape */ echo $fieldAttributes ?>>
     <?php echo $element->getLabelHtml() ?>
     <div class="control admin__field-control">
         <div class="rule-tree">
@@ -32,6 +33,6 @@ $fieldAttributes = $fieldId . ' class="' . $fieldClass . '" ' . $block->getUiId(
         "Magento_Rule/rules",
         "prototype"
     ], function(VarienRulesForm){
-        window.<?php echo $block->getHtmlId() ?> = new VarienRulesForm('<?php echo $block->getHtmlId() ?>', '<?php /* @escapeNotVerified */ echo $block->getNewChildUrl() ?>');
+        window.<?php echo $block->escapeJs($block->getHtmlId()) ?> = new VarienRulesForm('<?php echo $block->escapeJs($block->getHtmlId()) ?>', '<?php echo $block->escapeUrl($block->getNewChildUrl()) ?>');
     });
 </script>

app/code/Magento/CatalogWidget/view/frontend/templates/product/widget/content/grid.phtml

@@ -6,15 +6,9 @@
 
 // @codingStandardsIgnoreFile
 
+/** @var \Magento\CatalogWidget\Block\Product\ProductsList $block */
 ?>
-<?php
-/**
- * Template for displaying products list widget
- *
- * @var $block \Magento\CatalogWidget\Block\Product\ProductsList
- */
-?>
-<?php if ($exist = ($block->getProductCollection() && $block->getProductCollection()->getSize())):?>
+<?php if ($exist = ($block->getProductCollection() && $block->getProductCollection()->getSize())): ?>
 <?php
     $type = 'widget-product-grid';
 
@@ -30,27 +24,28 @@
     $templateType = \Magento\Catalog\Block\Product\ReviewRendererInterface::DEFAULT_VIEW;
     $description = false;
 ?>
-    <div class="block widget block-products-list <?php /* @escapeNotVerified */ echo $mode; ?>">
-        <?php if ($title):?>
+    <div class="block widget block-products-list <?php /* @noEscape */ echo $mode; ?>">
+        <?php if ($title): ?>
         <div class="block-title">
-            <strong><?php /* @escapeNotVerified */ echo $title; ?></strong>
+            <strong><?php echo $block->escapeHtml($title); ?></strong>
         </div>
         <?php endif ?>
         <div class="block-content">
-            <?php /* @escapeNotVerified */ echo '<!-- ' . $image . '-->' ?>
-            <div class="products-<?php /* @escapeNotVerified */ echo $mode; ?> <?php /* @escapeNotVerified */ echo $mode; ?>">
-                <ol class="product-items <?php /* @escapeNotVerified */ echo $type; ?>">
+            <?php /* @noEscape */ echo '<!-- ' . $image . '-->' ?>
+            <div class="products-<?php /* @noEscape */ echo $mode; ?> <?php /* @noEscape */ echo $mode; ?>">
+                <ol class="product-items <?php /* @noEscape */ echo $type; ?>">
                     <?php $iterator = 1; ?>
                     <?php foreach ($items as $_item): ?>
-                        <?php /* @escapeNotVerified */ echo($iterator++ == 1) ? '<li class="product-item">' : '</li><li class="product-item">' ?>
+                        <?php if ($iterator++ != 1): ?></li><?php endif ?>
+                        <li class="product-item">
                         <div class="product-item-info">
-                            <a href="<?php /* @escapeNotVerified */ echo $block->getProductUrl($_item) ?>" class="product-item-photo">
+                            <a href="<?php echo $block->escapeUrl($block->getProductUrl($_item)) ?>" class="product-item-photo">
                                 <?php echo $block->getImage($_item, $image)->toHtml(); ?>
                             </a>
                             <div class="product-item-details">
                                 <strong class="product-item-name">
                                     <a title="<?php echo $block->escapeHtml($_item->getName()) ?>"
-                                       href="<?php /* @escapeNotVerified */ echo $block->getProductUrl($_item) ?>"
+                                       href="<?php echo $block->escapeUrl($block->getProductUrl($_item)) ?>"
                                        class="product-item-link">
                                         <?php echo $block->escapeHtml($_item->getName()) ?>
                                     </a>
@@ -70,7 +65,7 @@
                                                 <?php if ($_item->isSaleable()): ?>
                                                     <?php if ($_item->getTypeInstance()->hasRequiredOptions($_item)): ?>
                                                         <button class="action tocart primary"
-                                                                data-mage-init='{"redirectUrl":{"url":"<?php /* @escapeNotVerified */ echo $block->getAddToCartUrl($_item) ?>"}}'
+                                                                data-mage-init='{"redirectUrl":{"url":"<?php echo $block->escapeUrl($block->getAddToCartUrl($_item)) ?>"}}'
                                                                 type="button" title="<?php /* @escapeNotVerified */ echo __('Add to Cart') ?>">
                                                             <span><?php /* @escapeNotVerified */ echo __('Add to Cart') ?></span>
                                                         </button>
@@ -80,7 +75,7 @@
                                                             $postData = $postDataHelper->getPostData($block->getAddToCartUrl($_item), ['product' => $_item->getEntityId()])
                                                         ?>
                                                         <button class="action tocart primary"
-                                                                data-post='<?php /* @escapeNotVerified */ echo $postData; ?>'
+                                                                data-post='<?php /* @noEscape */ echo $postData; ?>'
                                                                 type="button" title="<?php /* @escapeNotVerified */ echo __('Add to Cart') ?>">
                                                             <span><?php /* @escapeNotVerified */ echo __('Add to Cart') ?></span>
                                                         </button>
@@ -98,7 +93,7 @@
                                             <div class="actions-secondary" data-role="add-to-links">
                                                 <?php if ($this->helper('Magento\Wishlist\Helper\Data')->isAllow() && $showWishlist): ?>
                                                     <a href="#"
-                                                       data-post='<?php /* @escapeNotVerified */ echo $block->getAddToWishlistParams($_item); ?>'
+                                                       data-post='<?php /* @noEscape */ echo $block->getAddToWishlistParams($_item); ?>'
                                                        class="action towishlist" data-action="add-to-wishlist"
                                                        title="<?php /* @escapeNotVerified */ echo __('Add to Wish List') ?>">
                                                         <span><?php /* @escapeNotVerified */ echo __('Add to Wish List') ?></span>
@@ -107,7 +102,7 @@
                                                 <?php if ($block->getAddToCompareUrl() && $showCompare): ?>
                                                     <?php $compareHelper = $this->helper('Magento\Catalog\Helper\Product\Compare');?>
                                                     <a href="#" class="action tocompare"
-                                                       data-post='<?php /* @escapeNotVerified */ echo $compareHelper->getPostDataParams($_item);?>'
+                                                       data-post='<?php /* @noEscape */ echo $compareHelper->getPostDataParams($_item);?>'
                                                        title="<?php /* @escapeNotVerified */ echo __('Add to Compare') ?>">
                                                         <span><?php /* @escapeNotVerified */ echo __('Add to Compare') ?></span>
                                                     </a>

app/code/Magento/Cms/view/adminhtml/templates/browser/content.phtml

@@ -17,7 +17,7 @@
                 <div class="insert-actions">
                     <?php echo $block->getButtonsHtml() ?>
                 </div>
-                <div class="title"><?php /* @escapeNotVerified */ echo $block->getHeaderText() ?></div>
+                <div class="title"><?php echo $block->escapeHtml($block->getHeaderText()) ?></div>
             </div>
         </div>
         <div id="error-message" data-action="show-error"></div>

app/code/Magento/Cms/view/adminhtml/templates/browser/content/files.phtml

@@ -14,16 +14,16 @@ $_height = $block->getImagesHeight();
 ?>
 <?php if ($block->getFilesCount() > 0): ?>
     <?php foreach ($block->getFiles() as $file): ?>
-    <div data-row="file" class="filecnt" id="<?php /* @escapeNotVerified */ echo $block->getFileId($file) ?>">
-        <p class="nm" style="height:<?php /* @escapeNotVerified */ echo $_height ?>px;width:<?php /* @escapeNotVerified */ echo $_width ?>px;">
+    <div data-row="file" class="filecnt" id="<?php echo $block->escapeHtmlAttr($block->getFileId($file)) ?>">
+        <p class="nm" style="height:<?php echo $block->escapeHtmlAttr($_height) ?>px;width:<?php echo $block->escapeHtmlAttr($_width) ?>px;">
         <?php if ($block->getFileThumbUrl($file)):?>
-            <img src="<?php /* @escapeNotVerified */ echo $block->getFileThumbUrl($file) ?>" alt="<?php /* @escapeNotVerified */ echo $block->getFileName($file) ?>"/>
+            <img src="<?php echo $block->escapeHtmlAttr($block->getFileThumbUrl($file)) ?>" alt="<?php echo $block->escapeHtmlAttr($block->getFileName($file)) ?>"/>
         <?php endif; ?>
         </p>
         <?php if ($block->getFileWidth($file)): ?>
-            <small><?php /* @escapeNotVerified */ echo $block->getFileWidth($file) ?>x<?php /* @escapeNotVerified */ echo $block->getFileHeight($file) ?> <?php /* @escapeNotVerified */ echo __('px.') ?></small><br/>
+            <small><?php echo $block->escapeHtml($block->getFileWidth($file)) ?>x<?php echo $block->escapeHtml($block->getFileHeight($file)) ?> <?php /* @escapeNotVerified */ echo __('px.') ?></small><br/>
         <?php endif; ?>
-        <small><?php /* @escapeNotVerified */ echo $block->getFileShortName($file); ?></small>
+        <small><?php echo $block->escapeHtml($block->getFileShortName($file)); ?></small>
     </div>
     <?php endforeach; ?>
 <?php else: ?>