Merge branch 'merchant_beta' into MAGETWO-44160

Author: Dmytro Voskoboinikov

app/code/Magento/Backend/Block/Widget/Grid.php

@@ -760,7 +760,7 @@ public function setSaveParametersInSession($flag)
      */
     public function getJsObjectName()
     {
-        return $this->getId() . 'JsObject';
+        return preg_replace("~[^a-z0-9_]*~i", '', $this->getId()) . 'JsObject';
     }
 
     /**

app/code/Magento/Backend/Block/Widget/Grid/Column/Filter/AbstractFilter.php

@@ -67,7 +67,7 @@ public function getColumn()
      */
     protected function _getHtmlName()
     {
-        return $this->getColumn()->getId();
+        return $this->escapeHtml($this->getColumn()->getId());
     }
 
     /**
@@ -77,7 +77,7 @@ protected function _getHtmlName()
      */
     protected function _getHtmlId()
     {
-        return $this->getColumn()->getHtmlId();
+        return $this->escapeHtml($this->getColumn()->getHtmlId());
     }
 
     /**
@@ -88,7 +88,7 @@ protected function _getHtmlId()
      */
     public function getEscapedValue($index = null)
     {
-        return htmlspecialchars((string)$this->getValue($index));
+        return $this->escapeHtml((string)$this->getValue($index));
     }
 
     /**

app/code/Magento/Backend/Test/Unit/Block/Widget/Grid/Column/Filter/TextTest.php

@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Backend\Test\Unit\Block\Widget\Grid\Column\Filter;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager as ObjectManagerHelper;
+
+class TextTest extends \PHPUnit_Framework_TestCase
+{
+    /** @var \Magento\Backend\Block\Widget\Grid\Column\Filter\Text*/
+    protected $block;
+
+    /** @var ObjectManagerHelper */
+    protected $objectManagerHelper;
+
+    /** @var \Magento\Backend\Block\Context|\PHPUnit_Framework_MockObject_MockObject */
+    protected $context;
+
+    /** @var \Magento\Framework\DB\Helper|\PHPUnit_Framework_MockObject_MockObject */
+    protected $helper;
+
+    /** @var \Magento\Framework\Escaper|\PHPUnit_Framework_MockObject_MockObject */
+    protected $escaper;
+
+    protected function setUp()
+    {
+        $this->context = $this->getMockBuilder('Magento\Backend\Block\Context')
+            ->setMethods(['getEscaper'])
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->escaper = $this->getMock('Magento\Framework\Escaper', ['escapeHtml'], [], '', false);
+        $this->helper = $this->getMock('Magento\Framework\DB\Helper', [], [], '', false);
+
+        $this->context->expects($this->once())->method('getEscaper')->willReturn($this->escaper);
+
+        $this->objectManagerHelper = new ObjectManagerHelper($this);
+        $this->block = $this->objectManagerHelper->getObject(
+            'Magento\Backend\Block\Widget\Grid\Column\Filter\Text',
+            [
+                'context' => $this->context,
+                'resourceHelper' => $this->helper
+            ]
+        );
+    }
+
+    public function testGetHtml()
+    {
+        $resultHtml = '<input type="text" name="escapedHtml" ' .
+            'id="escapedHtml" value="escapedHtml" ' .
+            'class="input-text admin__control-text no-changes" data-ui-id="filter-escapedhtml"  />';
+
+        $column = $this->getMockBuilder('Magento\Backend\Block\Widget\Grid\Column')
+            ->setMethods(['getId', 'getHtmlId'])
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $this->block->setColumn($column);
+
+        $this->escaper->expects($this->any())->method('escapeHtml')->willReturn('escapedHtml');
+        $column->expects($this->any())->method('getId')->willReturn('id');
+        $column->expects($this->once())->method('getHtmlId')->willReturn('htmlId');
+
+        $this->assertEquals($resultHtml, $this->block->getHtml());
+    }
+}

app/code/Magento/Backend/view/adminhtml/templates/widget/grid.phtml

@@ -24,7 +24,7 @@ $numColumns = sizeof($block->getColumns());
 <?php if ($block->getCollection()): ?>
 
 <?php if ($block->canDisplayContainer()): ?>
-<div id="<?php echo $block->getId() ?>" data-grid-id="<?php echo $block->getId() ?>">
+<div id="<?php echo $block->escapeHtml($block->getId()) ?>" data-grid-id="<?php echo $block->escapeHtml($block->getId()) ?>">
 <?php else: ?>
 <?php echo $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
 <?php endif; ?>
@@ -50,17 +50,17 @@ $numColumns = sizeof($block->getColumns());
                 <?php endif; ?>
                     <?php $countRecords = $block->getCollection()->getSize(); ?>
                     <div class="admin__control-support-text">
-                        <span id="<?php echo $block->getHtmlId() ?>-total-count" <?php echo $block->getUiId('total-count') ?>>
+                        <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>-total-count" <?php echo $block->getUiId('total-count') ?>>
                             <?php echo $countRecords ?>
                         </span>
                         <?php echo __('records found') ?>
-                        <span id="<?php echo $block->getHtmlId() ?>_massaction-count"
+                        <span id="<?php echo $block->escapeHtml($block->getHtmlId()) ?>_massaction-count"
                               class="mass-select-info _empty"><strong data-role="counter">0</strong> <span><?php echo __('selected') ?></span></span>
                     </div>
                 <?php if ($block->getPagerVisibility()): ?>
                     <div class="admin__data-grid-pager-wrap">
                         <select name="<?php echo $block->getVarNameLimit() ?>"
-                                id="<?php echo $block->getHtmlId()?>_page-limit"
+                                id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
                                 onchange="<?php echo $block->getJsObjectName() ?>.loadByElement(this)" <?php echo $block->getUiId('per-page') ?>
                                 class="admin__control-select">
                             <option value="20"<?php if ($block->getCollection()->getPageSize() == 20): ?>
@@ -79,7 +79,7 @@ $numColumns = sizeof($block->getColumns());
                                 selected="selected"<?php endif; ?>>200
                             </option>
                         </select>
-                        <label for="<?php echo $block->getHtmlId()?>_page-limit"
+                        <label for="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-limit"
                             class="admin__control-support-text"><?php echo __('per page') ?></label>
                         <div class="admin__data-grid-pager">
                             <?php $_curPage = $block->getCollection()->getCurPage() ?>
@@ -96,13 +96,13 @@ $numColumns = sizeof($block->getColumns());
                             <?php endif; ?>
 
                             <input type="text"
-                                   id="<?php echo $block->getHtmlId()?>_page-current"
+                                   id="<?php echo $block->escapeHtml($block->getHtmlId())?>_page-current"
                                    name="<?php echo $block->getVarNamePage() ?>"
                                    value="<?php echo $_curPage ?>"
                                    class="admin__control-text"
                                    onkeypress="<?php echo $block->getJsObjectName() ?>.inputPage(event, '<?php echo $_lastPage ?>')" <?php echo $block->getUiId('current-page') ?> />
 
-                            <label class="admin__control-support-text" for="<?php echo $block->getHtmlId()
+                            <label class="admin__control-support-text" for="<?php echo $block->escapeHtml($block->getHtmlId())
                             ?>_page-current">
                                 <?php echo __('of %1', '<span>' . $block->getCollection()->getLastPageNumber() . '</span>') ?>
                             </label>
@@ -122,13 +122,13 @@ $numColumns = sizeof($block->getColumns());
         </div>
         <div class="admin__data-grid-wrap">
         <?php if ($block->getGridCssClass()): ?>
-            <table class="<?php echo $block->getGridCssClass() ?> data-grid" id="<?php echo $block->getId() ?>_table">
+            <table class="<?php echo $block->getGridCssClass() ?> data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
                 <!-- Rendering column set -->
                 <?php echo $block->getChildHtml('grid.columnSet'); ?>
             </table>
         <?php else: ?>
 
-            <table class="data-grid" id="<?php echo $block->getId() ?>_table">
+            <table class="data-grid" id="<?php echo $block->escapeHtml($block->getId()) ?>_table">
                 <!-- Rendering column set -->
                 <?php echo $block->getChildHtml('grid.columnSet'); ?>
             </table>
@@ -161,7 +161,7 @@ $numColumns = sizeof($block->getColumns());
             registry.get('<?php echo $block->getDependencyJsObject() ?>', function (<?php echo $block->getDependencyJsObject() ?>) {
         <?php endif; ?>
 
-        <?php echo $block->getJsObjectName() ?> = new varienGrid('<?php echo $block->getId() ?>', '<?php echo $block->getGridUrl() ?>', '<?php echo $block->getVarNamePage() ?>', '<?php echo $block->getVarNameSort() ?>', '<?php echo $block->getVarNameDir() ?>', '<?php echo $block->getVarNameFilter() ?>');
+        <?php echo $block->getJsObjectName() ?> = new varienGrid('<?php echo $block->escapeHtml($block->getId()) ?>', '<?php echo $block->getGridUrl() ?>', '<?php echo $block->getVarNamePage() ?>', '<?php echo $block->getVarNameSort() ?>', '<?php echo $block->getVarNameDir() ?>', '<?php echo $block->getVarNameFilter() ?>');
         <?php echo $block->getJsObjectName() ?>.useAjax = <?php echo $block->getUseAjax() ? 'true' : 'false' ?>;
         <?php if ($block->getRowClickCallback()): ?>
         <?php echo $block->getJsObjectName() ?>.rowClickCallback = <?php echo $block->getRowClickCallback() ?>;