Merge pull request #587 from magento-mpi/MAGETWO-33490

[MPI] Magento Framework protects against XSS attacks
magento · Sep 11, 2015 · 8552a51 · 8552a51
2 parents b51f3e0 + 1e8ba20
commit 8552a51
Show file tree

Hide file tree

Showing 766 changed files with 6,385 additions and 5,708 deletions.
diff --git a/app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml b/app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml
@@ -13,19 +13,19 @@
  */
 ?>
 <div data-mage-init='{"modalPopup": {}}' class="fade critical-notification">
-    <div class="popup popup-<?php echo preg_replace('#[^a-z0-9]+#', '-', strtolower($block->getSeverityText())) ?>">
+    <div class="popup popup-<?php /* @escapeNotVerified */ echo preg_replace('#[^a-z0-9]+#', '-', strtolower($block->getSeverityText())) ?>">
         <div class="popup-inner">
             <div class="popup-header">
-                <div class="popup-title"><?php echo $block->getHeaderText(); ?></div>
+                <div class="popup-title"><?php /* @escapeNotVerified */ echo $block->getHeaderText(); ?></div>
             </div>
             <div class="popup-content">
-                <span><?php echo $block->getSeverityText();?></span>
+                <span><?php /* @escapeNotVerified */ echo $block->getSeverityText();?></span>
 
-                <p class="message-text"><?php echo $block->getNoticeMessageText(); ?></p>
+                <p class="message-text"><?php /* @escapeNotVerified */ echo $block->getNoticeMessageText(); ?></p>
 
-                <a href="<?php echo $block->getNoticeMessageUrl(); ?>"><?php echo $block->getReadDetailsText(); ?></a>
+                <a href="<?php /* @escapeNotVerified */ echo $block->getNoticeMessageUrl(); ?>"><?php /* @escapeNotVerified */ echo $block->getReadDetailsText(); ?></a>
             </div>
-            <span class="action close" data-dismiss="popup" title="<?php echo $block->escapeHtml(__('Close popup'));?>"><?php echo __('Close'); ?></span>
+            <span class="action close" data-dismiss="popup" title="<?php echo $block->escapeHtml(__('Close popup'));?>"><?php /* @escapeNotVerified */ echo __('Close'); ?></span>
         </div>
     </div>
 </div>
diff --git a/app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml b/app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml
@@ -15,27 +15,27 @@
         <?php if ($lastCritical): ?>
             <ul class="message-system-list">
                 <li class="message message-warning error">
-                    <?php echo $lastCritical->getText();?>
+                    <?php /* @escapeNotVerified */ echo $lastCritical->getText();?>
                 </li>
             </ul>
         <?php endif; ?>
         <div class="message-system-short">
             <span class="message-system-short-label">
-                <?php echo __('System Messages:')?>
+                <?php /* @escapeNotVerified */ echo __('System Messages:')?>
             </span>
 
             <?php if ($block->getCriticalCount()): ?>
                 <div class="message message-warning error">
                     <a class="message-link" href="#" title="<?php echo $block->escapeHtml(__('Critical System Messages'));?>">
-                        <?php echo $block->getCriticalCount();?>
+                        <?php /* @escapeNotVerified */ echo $block->getCriticalCount();?>
                     </a>
                 </div>
             <?php endif;?>
 
             <?php if ($block->getMajorCount()): ?>
                <div class="message message-warning warning">
                    <a class="message-link" href="#" title="<?php echo $block->escapeHtml(__('Major System Messages'));?>">
-                       <?php echo $block->getMajorCount();?>
+                       <?php /* @escapeNotVerified */ echo $block->getMajorCount();?>
                    </a>
                </div>
             <?php endif;?>

diff --git a/app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml b/app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml
@@ -12,8 +12,8 @@
 <div id="system_messages_list" title="<?php echo $block->escapeHtml($block->getPopupTitle()); ?>">
     <ul class="message-system-list">
         <?php foreach ($block->getUnreadMessages() as $message): ?>
-            <li class="message message-warning <?php echo $block->getItemClass($message);?>">
-                <?php echo $message->getText();?>
+            <li class="message message-warning <?php /* @escapeNotVerified */ echo $block->getItemClass($message);?>">
+                <?php /* @escapeNotVerified */ echo $message->getText();?>
             </li>
         <?php endforeach;?>
     </ul>

diff --git a/app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml b/app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml
@@ -15,25 +15,25 @@
 <div
     data-mage-init='{"toolbarEntry": {}}'
     class="notifications-wrapper admin__action-dropdown-wrap"
-    data-notification-count="<?php echo $notificationCount; ?>">
+    data-notification-count="<?php /* @escapeNotVerified */ echo $notificationCount; ?>">
     <?php if ($notificationCount > 0) : ?>
         <a
-            href="<?php echo $block->getUrl('adminhtml/notification/index'); ?>"
+            href="<?php /* @escapeNotVerified */ echo $block->getUrl('adminhtml/notification/index'); ?>"
             class="notifications-action admin__action-dropdown"
             data-mage-init='{"dropdown":{}}'
-            title="<?php echo __('Notifications'); ?>"
+            title="<?php /* @escapeNotVerified */ echo __('Notifications'); ?>"
             data-toggle="dropdown">
             <span class="notifications-counter">
-                <?php echo ($notificationCount > $notificationCounterMax) ? $notificationCounterMax . '+' : $notificationCount; ?>
+                <?php /* @escapeNotVerified */ echo ($notificationCount > $notificationCounterMax) ? $notificationCounterMax . '+' : $notificationCount; ?>
             </span>
         </a>
         <ul
             class="admin__action-dropdown-menu"
-            data-mark-as-read-url="<?php echo $block->getUrl('adminhtml/notification/ajaxMarkAsRead'); ?>">
+            data-mark-as-read-url="<?php /* @escapeNotVerified */ echo $block->getUrl('adminhtml/notification/ajaxMarkAsRead'); ?>">
             <?php foreach ($block->getLatestUnreadNotifications() as $notification) : ?>
             <?php /** @var $notification \Magento\AdminNotification\Model\Inbox*/ ?>
             <li class="notifications-entry<?php if ($notification->getSeverity() == 1): ?> notifications-critical<?php endif; ?>"
-                data-notification-id="<?php echo $notification->getId(); ?>"
+                data-notification-id="<?php /* @escapeNotVerified */ echo $notification->getId(); ?>"
                 data-notification-severity="<?php if ($notification->getSeverity() == 1): ?>1<?php endif; ?>">
                 <?php
                     $notificationDescription = $block->escapeHtml($notification->getDescription());
@@ -45,40 +45,40 @@
                 <?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
                     <p class="notifications-entry-description _cutted">
                         <span class="notifications-entry-description-start">
-                            <?php echo substr($notificationDescription, 0, $notificationDescriptionLength); ?>
+                            <?php /* @escapeNotVerified */ echo substr($notificationDescription, 0, $notificationDescriptionLength); ?>
                         </span>
                         <span class="notifications-entry-description-end">
-                            <?php echo substr($notificationDescription, $notificationDescriptionLength); ?>
+                            <?php /* @escapeNotVerified */ echo substr($notificationDescription, $notificationDescriptionLength); ?>
                         </span>
                     </p>
                 <?php else : ?>
                     <p class="notifications-entry-description">
-                        <?php echo $notificationDescription; ?>
+                        <?php /* @escapeNotVerified */ echo $notificationDescription; ?>
                     </p>
                 <?php endif; ?>
                 <time class="notifications-entry-time">
-                    <?php echo $block->formatNotificationDate($notification->getDateAdded()); ?>
+                    <?php /* @escapeNotVerified */ echo $block->formatNotificationDate($notification->getDateAdded()); ?>
                 </time>
                 <button
                     type="button"
                     class="notifications-close"
-                    title="<?php echo __('Close'); ?>"
+                    title="<?php /* @escapeNotVerified */ echo __('Close'); ?>"
                     ></button>
             </li>
             <?php endforeach; ?>
             <li class="notifications-entry notifications-entry-last">
                 <a
-                    href="<?php echo $block->getUrl('adminhtml/notification/index'); ?>"
+                    href="<?php /* @escapeNotVerified */ echo $block->getUrl('adminhtml/notification/index'); ?>"
                     class="action-tertiary action-more">
-                    <?php echo __('See All (') ?><span class="notifications-counter"><?php echo $notificationCount ?></span><?php echo __(' unread)'); ?>
+                    <?php /* @escapeNotVerified */ echo __('See All (') ?><span class="notifications-counter"><?php /* @escapeNotVerified */ echo $notificationCount ?></span><?php /* @escapeNotVerified */ echo __(' unread)'); ?>
                 </a>
             </li>
         </ul>
     <?php else : ?>
         <a
             class="notifications-action admin__action-dropdown"
-            href="<?php echo $block->getUrl('adminhtml/notification/index'); ?>"
-            title="<?php echo __('Notifications'); ?>">
+            href="<?php /* @escapeNotVerified */ echo $block->getUrl('adminhtml/notification/index'); ?>"
+            title="<?php /* @escapeNotVerified */ echo __('Notifications'); ?>">
         </a>
     <?php endif; ?>
 </div>
diff --git a/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/iframe.phtml b/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/iframe.phtml
@@ -22,9 +22,9 @@ $helper = $block->getHelper('adminhtml');
             window.top.location="<?php echo $block->escapeUrl($params['redirect_parent']) ?>";
         <?php endif; ?>
         <?php if (isset($params['error_msg'])): ?>
-            window.top.directPostModel.showError(<?php echo json_encode((array)$params['error_msg']) ?>);
+            window.top.directPostModel.showError(<?php /* @escapeNotVerified */ echo json_encode((array)$params['error_msg']) ?>);
             <?php if (isset($params['x_invoice_num'])): ?>
-                window.top.directPostModel.successUrl="<?php echo $helper->getSuccessOrderUrl($params) ?>";
+                window.top.directPostModel.successUrl="<?php /* @escapeNotVerified */ echo $helper->getSuccessOrderUrl($params) ?>";
             <?php endif; ?>
         <?php endif; ?>
         </script>

diff --git a/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml b/app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml
@@ -18,71 +18,71 @@ $_controller = $block->getRequest()->getControllerName();
 $_orderUrl = $this->helper('Magento\Authorizenet\Helper\Backend\Data')->getPlaceOrderAdminUrl();
 ?>
 <!-- IFRAME for request to our server -->
-<iframe id="order-directpost-iframe" allowtransparency="true" frameborder="0" name="iframeSubmitOrder" style="display:none;width:100%;background-color:transparent" src="<?php echo $block->getViewFileUrl('blank.html') ?>"></iframe>
+<iframe id="order-directpost-iframe" allowtransparency="true" frameborder="0" name="iframeSubmitOrder" style="display:none;width:100%;background-color:transparent" src="<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('blank.html') ?>"></iframe>
 <!-- IFRAME for request to Authorize.net -->
-<iframe id="directpost-iframe" allowtransparency="true" frameborder="0"  name="iframeDirectPost" style="display:none;width:100%;background-color:transparent" src="<?php echo $block->getViewFileUrl('blank.html') ?>"></iframe>
-<fieldset class="admin__fieldset payment-method" id="payment_form_<?php echo $_code ?>" style="display:none;">
+<iframe id="directpost-iframe" allowtransparency="true" frameborder="0"  name="iframeDirectPost" style="display:none;width:100%;background-color:transparent" src="<?php /* @escapeNotVerified */ echo $block->getViewFileUrl('blank.html') ?>"></iframe>
+<fieldset class="admin__fieldset payment-method" id="payment_form_<?php /* @escapeNotVerified */ echo $_code ?>" style="display:none;">
     <div class="admin__field _required">
-        <label for="<?php echo $_code ?>_cc_type"
-               class="admin__field-label"><span><?php echo __('Credit Card Type') ?></span></label>
+        <label for="<?php /* @escapeNotVerified */ echo $_code ?>_cc_type"
+               class="admin__field-label"><span><?php /* @escapeNotVerified */ echo __('Credit Card Type') ?></span></label>
         <div class="admin__field-control">
-            <select id="<?php echo $_code ?>_cc_type"
+            <select id="<?php /* @escapeNotVerified */ echo $_code ?>_cc_type"
                     name="payment[cc_type]"
                     class="required-entry validate-cc-type-select admin__control-select">
                 <?php $_ccType = $_form->getInfoData('cc_type') ?>
                 <option value=""></option>
                 <?php foreach ($_form->getCcAvailableTypes() as $_typeCode => $_typeName): ?>
-                    <option value="<?php echo $_typeCode ?>"
-                            <?php if ($_typeCode == $_ccType): ?>selected="selected"<?php endif ?>><?php echo $_typeName ?></option>
+                    <option value="<?php /* @escapeNotVerified */ echo $_typeCode ?>"
+                            <?php if ($_typeCode == $_ccType): ?>selected="selected"<?php endif ?>><?php /* @escapeNotVerified */ echo $_typeName ?></option>
                 <?php endforeach ?>
             </select>
         </div>
     </div>
     <div class="admin__field _required">
-        <label for="<?php echo $_code ?>_cc_number"
-               class="admin__field-label"><span><?php echo __('Credit Card Number') ?></span></label>
+        <label for="<?php /* @escapeNotVerified */ echo $_code ?>_cc_number"
+               class="admin__field-label"><span><?php /* @escapeNotVerified */ echo __('Credit Card Number') ?></span></label>
 
         <div class="admin__field-control">
-            <input type="text" id="<?php echo $_code ?>_cc_number"
+            <input type="text" id="<?php /* @escapeNotVerified */ echo $_code ?>_cc_number"
                    name="payment[cc_number]"
                    class="input-text required-entry validate-cc-number admin__control-text"
-                   value="<?php echo $block->getInfoData('cc_number') ?>"/>
+                   value="<?php /* @escapeNotVerified */ echo $block->getInfoData('cc_number') ?>"/>
         </div>
     </div>
     <div class="admin__field _required">
-        <label for="<?php echo $_code ?>_expiration"
-               class="admin__field-label"><span><?php echo __('Expiration Date') ?></span></label>
+        <label for="<?php /* @escapeNotVerified */ echo $_code ?>_expiration"
+               class="admin__field-label"><span><?php /* @escapeNotVerified */ echo __('Expiration Date') ?></span></label>
 
         <div class="admin__field-control">
-            <select id="<?php echo $_code ?>_expiration"
+            <select id="<?php /* @escapeNotVerified */ echo $_code ?>_expiration"
                     name="payment[cc_exp_month]"
                     class="validate-cc-exp required-entry admin__control-select admin__control-select-month">
                 <?php $_ccExpMonth = $_form->getInfoData('cc_exp_month') ?>
                 <?php foreach ($_form->getCcMonths() as $k => $v): ?>
-                    <option value="<?php echo $k ?>"
-                            <?php if ($k == $_ccExpMonth): ?>selected="selected"<?php endif ?>><?php echo $v ?></option>
+                    <option value="<?php /* @escapeNotVerified */ echo $k ?>"
+                            <?php if ($k == $_ccExpMonth): ?>selected="selected"<?php endif ?>><?php /* @escapeNotVerified */ echo $v ?></option>
                 <?php endforeach ?>
             </select>
             <?php $_ccExpYear = $_form->getInfoData('cc_exp_year') ?>
-            <select id="<?php echo $_code ?>_expiration_yr"
+            <select id="<?php /* @escapeNotVerified */ echo $_code ?>_expiration_yr"
                     name="payment[cc_exp_year]"
                     class="required-entry admin__control-select admin__control-select-year">
                 <?php foreach ($_form->getCcYears() as $k => $v): ?>
-                    <option value="<?php echo $k ? $k : '' ?>"
-                            <?php if ($k == $_ccExpYear): ?>selected="selected"<?php endif ?>><?php echo $v ?></option>
+                    <option value="<?php /* @escapeNotVerified */ echo $k ? $k : '' ?>"
+                            <?php if ($k == $_ccExpYear): ?>selected="selected"<?php endif ?>><?php /* @escapeNotVerified */ echo $v ?></option>
                 <?php endforeach ?>
             </select>
         </div>
     </div>
     <?php if ($_form->hasVerification()): ?>
     <div class="admin__field _required">
-        <label for="<?php echo $_code ?>_cc_cid"><span><?php echo __('Card Verification Number') ?></span></label>
+        <label for="<?php /* @escapeNotVerified */ echo $_code ?>_cc_cid"><span><?php /* @escapeNotVerified */ echo __('Card Verification Number') ?></span></label>
 
         <div class="admin__field-control">
             <input type="text"
                    class="required-entry input-text validate-cc-cvn admin__control-text"
-                   id="<?php echo $_code ?>_cc_cid" name="payment[cc_cid]"
-                   value="<?php echo $block->getInfoData('cc_cid') ?>"/>
+                   id="<?php /* @escapeNotVerified */ echo $_code ?>_cc_cid" name="payment[cc_cid]"
+                   value="<?php /* @escapeNotVerified */ echo $block->getInfoData('cc_cid') ?>"/>
         </div>
     </div>
     <?php endif; ?>
@@ -98,19 +98,19 @@ $_orderUrl = $this->helper('Magento\Authorizenet\Helper\Backend\Data')->getPlace
         /**
          * Disable card server validation in admin
          */
-        order.addExcludedPaymentMethod('<?php echo $_code ?>');
+        order.addExcludedPaymentMethod('<?php /* @escapeNotVerified */ echo $_code ?>');
 
         <?php if (!$block->isAjaxRequest()): ?>
             document.observe('dom:loaded', function(){
         <?php endif; ?>
 
         directPostModel = new directPost(
-            '<?php echo $_code ?>',
+            '<?php /* @escapeNotVerified */ echo $_code ?>',
             'directpost-iframe',
-            '<?php echo $_controller ?>',
-            '<?php echo $_orderUrl ?>',
-            '<?php echo $_method->getCgiUrl() ?>',
-            '<?php echo $block->getUrl('*/*/save', ['_secure' => $block->getRequest()->isSecure()]) ?>');
+            '<?php /* @escapeNotVerified */ echo $_controller ?>',
+            '<?php /* @escapeNotVerified */ echo $_orderUrl ?>',
+            '<?php /* @escapeNotVerified */ echo $_method->getCgiUrl() ?>',
+            '<?php /* @escapeNotVerified */ echo $block->getUrl('*/*/save', ['_secure' => $block->getRequest()->isSecure()]) ?>');
 
         <?php if (!$block->isAjaxRequest()): ?>
             });