Merge branch '2.3-develop' into feature/271-Customer-Attributes-Validation

Author: furseyev

SECURITY.md

@@ -0,0 +1,10 @@
+# Reporting Security Issues
+
+Magento values the contributions of the security research community, and we look forward to working with you to minimize risk to Magento merchants. 
+
+## Where should I report security issues?
+
+We strongly encourage you to report all security issues privately via our [bug bounty program](https://hackerone.com/magento).  Please provide us with relevant technical details and repro steps to expedite our investigation.  If you prefer not to use HackerOne, email us directly at `[email protected]` with details and repro steps.  
+
+## Learning More About Security
+To learn more about securing a Magento store, please visit the [Security Center](https://magento.com/security).

app/code/Magento/AdminNotification/Model/Feed.php

@@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param \Magento\Framework\Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +96,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
+            \Magento\Framework\Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +263,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml

@@ -4,10 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
-?>
-<?php
 /**
  * @see \Magento\AdminNotification\Block\Window
  */
@@ -19,11 +15,13 @@
             "autoOpen": true,
             "buttons": false,
             "modalClass": "modal-system-messages",
-            "title": "<?= /* @escapeNotVerified */ $block->getHeaderText() ?>"
+            "title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
         }
     }'>
     <li class="message message-warning warning">
-        <?= /* @escapeNotVerified */ $block->getNoticeMessageText() ?><br/>
-        <a href="<?= /* @escapeNotVerified */ $block->getNoticeMessageUrl() ?>"><?= /* @escapeNotVerified */ $block->getReadDetailsText() ?></a>
+        <?= $block->escapeHtml($block->getNoticeMessageText()) ?><br/>
+        <a href="<?= $block->escapeUrl($block->getNoticeMessageUrl()) ?>">
+            <?= $block->escapeHtml($block->getReadDetailsText()) ?>
+        </a>
     </li>
 </ul>

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml

@@ -4,41 +4,41 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages */ ?>
 
 <?php $lastCritical = $block->getLastCritical();?>
-<div id="system_messages" class="message-system<?php if ($lastCritical): ?> message-system-unread<?php endif; ?>">
+<div id="system_messages"
+     class="message-system<?php if ($lastCritical) : ?>
+     message-system-unread<?php endif; ?>">
     <div class="message-system-inner">
-        <?php if ($lastCritical): ?>
+        <?php if ($lastCritical) : ?>
             <ul class="message-system-list">
                 <li class="message message-warning error">
-                    <?= /* @escapeNotVerified */ $lastCritical->getText() ?>
+                    <?= $block->escapeHtml($lastCritical->getText()) ?>
                 </li>
             </ul>
         <?php endif; ?>
         <div class="message-system-short">
             <span class="message-system-short-label">
-                <?= /* @escapeNotVerified */ __('System Messages:') ?>
+                <?= $block->escapeHtml(__('System Messages:')) ?>
             </span>
 
-            <?php if ($block->getCriticalCount()): ?>
+            <?php if ($block->getCriticalCount()) : ?>
                 <div class="message message-warning error">
                     <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Critical System Messages')) ?>">
-                        <?= /* @escapeNotVerified */ $block->getCriticalCount() ?>
+                        <?= (int) $block->getCriticalCount() ?>
                     </a>
                 </div>
-            <?php endif;?>
+            <?php endif; ?>
 
-            <?php if ($block->getMajorCount()): ?>
+            <?php if ($block->getMajorCount()) : ?>
                <div class="message message-warning warning">
                    <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
-                       <?= /* @escapeNotVerified */ $block->getMajorCount() ?>
+                       <?= (int) $block->getMajorCount() ?>
                    </a>
                </div>
-            <?php endif;?>
+            <?php endif; ?>
         </div>
         <div id="message-system-all" title="<?= $block->escapeHtml(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtml($block->getSystemMessageDialogJson()) ?>'></div>
     </div>

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml

@@ -4,16 +4,15 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */ ?>
 
-<div style="display:none" id="system_messages_list" data-role="system_messages_list" title="<?= $block->escapeHtml($block->getPopupTitle()) ?>">
+<div style="display:none" id="system_messages_list" data-role="system_messages_list"
+     title="<?= $block->escapeHtmlAttr($block->getPopupTitle()) ?>">
     <ul class="message-system-list messages">
-        <?php foreach ($block->getUnreadMessages() as $message): ?>
-            <li class="message message-warning <?= /* @escapeNotVerified */ $block->getItemClass($message) ?>">
-                <?= /* @escapeNotVerified */ $message->getText() ?>
+        <?php foreach ($block->getUnreadMessages() as $message) : ?>
+            <li class="message message-warning <?= $block->escapeHtmlAttr($block->getItemClass($message)) ?>">
+                <?= $block->escapeHtml($message->getText()) ?>
             </li>
         <?php endforeach;?>
     </ul>

app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml

@@ -4,81 +4,78 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
+/** @var $this \Magento\AdminNotification\Block\ToolbarEntry */
 
-?>
-<?php /** @var $this \Magento\AdminNotification\Block\ToolbarEntry */ ?>
-<?php
     $notificationCount = $block->getUnreadNotificationCount();
     $notificationCounterMax = $block->getNotificationCounterMax();
 ?>
 <div
     data-mage-init='{"toolbarEntry": {}}'
     class="notifications-wrapper admin__action-dropdown-wrap"
-    data-notification-count="<?= /* @escapeNotVerified */ $notificationCount ?>">
+    data-notification-count="<?= (int)$notificationCount ?>">
     <?php if ($notificationCount > 0) : ?>
         <a
-            href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
+            href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
             class="notifications-action admin__action-dropdown"
             data-mage-init='{"dropdown":{}}'
-            title="<?= /* @escapeNotVerified */ __('Notifications') ?>"
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>"
             data-toggle="dropdown">
             <span class="notifications-counter">
-                <?= /* @escapeNotVerified */ ($notificationCount > $notificationCounterMax) ? $notificationCounterMax . '+' : $notificationCount ?>
+                <?= /* @noEscape */ ($notificationCount > $notificationCounterMax) ? (int)$notificationCounterMax . '+' : (int)$notificationCount ?>
             </span>
         </a>
         <ul
             class="admin__action-dropdown-menu"
-            data-mark-as-read-url="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/ajaxMarkAsRead') ?>">
+            data-mark-as-read-url="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/ajaxMarkAsRead')) ?>">
             <?php foreach ($block->getLatestUnreadNotifications() as $notification) : ?>
-            <?php /** @var $notification \Magento\AdminNotification\Model\Inbox*/ ?>
-            <li class="notifications-entry<?php if ($notification->getSeverity() == 1): ?> notifications-critical<?php endif; ?>"
-                data-notification-id="<?= /* @escapeNotVerified */ $notification->getId() ?>"
-                data-notification-severity="<?php if ($notification->getSeverity() == 1): ?>1<?php endif; ?>">
-                <?php
-                    $notificationDescription = $block->escapeHtml($notification->getDescription());
-                    $notificationDescriptionLength = $block->getNotificationDescriptionLength();
-                ?>
-                <strong class="notifications-entry-title">
-                    <?= $block->escapeHtml($notification->getTitle()) ?>
-                </strong>
-                <?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
-                    <p class="notifications-entry-description _cutted">
-                        <span class="notifications-entry-description-start">
-                            <?= /* @escapeNotVerified */ substr($notificationDescription, 0, $notificationDescriptionLength) ?>
-                        </span>
-                        <span class="notifications-entry-description-end">
-                            <?= /* @escapeNotVerified */ substr($notificationDescription, $notificationDescriptionLength) ?>
-                        </span>
-                    </p>
-                <?php else : ?>
-                    <p class="notifications-entry-description">
-                        <?= /* @escapeNotVerified */ $notificationDescription ?>
-                    </p>
-                <?php endif; ?>
-                <time class="notifications-entry-time">
-                    <?= /* @escapeNotVerified */ $block->formatNotificationDate($notification->getDateAdded()) ?>
-                </time>
-                <button
-                    type="button"
-                    class="notifications-close"
-                    title="<?= /* @escapeNotVerified */ __('Close') ?>"
-                    ></button>
-            </li>
+                <?php /** @var $notification \Magento\AdminNotification\Model\Inbox */ ?>
+                <li class="notifications-entry<?php if ($notification->getSeverity() == 1) : ?> notifications-critical<?php endif; ?>"
+                    data-notification-id="<?= $block->escapeHtmlAttr($notification->getId()) ?>"
+                    data-notification-severity="<?php if ($notification->getSeverity() == 1) : ?>1<?php endif; ?>">
+                    <?php
+                        $notificationDescription = $notification->getDescription();
+                        $notificationDescriptionLength = $block->getNotificationDescriptionLength();
+                    ?>
+                    <strong class="notifications-entry-title">
+                        <?= $block->escapeHtml($notification->getTitle()) ?>
+                    </strong>
+                    <?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
+                        <p class="notifications-entry-description _cutted">
+                            <span class="notifications-entry-description-start">
+                                <?= $block->escapeHtml(substr($notificationDescription, 0, $notificationDescriptionLength)) ?>
+                            </span>
+                            <span class="notifications-entry-description-end">
+                                <?= $block->escapeHtml(substr($notificationDescription, $notificationDescriptionLength)) ?>
+                            </span>
+                        </p>
+                    <?php else : ?>
+                        <p class="notifications-entry-description">
+                            <?= $block->escapeHtml($notificationDescription) ?>
+                        </p>
+                    <?php endif; ?>
+                    <time class="notifications-entry-time">
+                        <?= $block->escapeHtml($block->formatNotificationDate($notification->getDateAdded())) ?>
+                    </time>
+                    <button
+                        type="button"
+                        class="notifications-close"
+                        title="<?= $block->escapeHtmlAttr(__('Close')) ?>"
+                        ></button>
+                </li>
             <?php endforeach; ?>
             <li class="notifications-entry notifications-entry-last">
                 <a
-                    href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
+                    href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
                     class="action-tertiary action-more">
-                    <?= /* @escapeNotVerified */ __('See All (') ?><span class="notifications-counter"><?= /* @escapeNotVerified */ $notificationCount ?></span><?= /* @escapeNotVerified */ __(' unread)') ?>
+                    <?= $block->escapeHtml(__('See All (')) ?><span class="notifications-counter"><?= (int)$notificationCount ?></span><?= $block->escapeHtml(__(' unread)')) ?>
                 </a>
             </li>
         </ul>
     <?php else : ?>
         <a
             class="notifications-action admin__action-dropdown"
-            href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
-            title="<?= /* @escapeNotVerified */ __('Notifications') ?>">
+            href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>">
         </a>
     <?php endif; ?>
 </div>