magento
diff --git a/‎app/code/Magento/AdminNotification/Model/Feed.php
Lines changed: 13 additions & 2 deletions b/‎app/code/Magento/AdminNotification/Model/Feed.php
Lines changed: 13 additions & 2 deletions
diff --git a/‎app/code/Magento/AdminNotification/composer.json
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/AdminNotification/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml
Lines changed: 3 additions & 7 deletions b/‎app/code/Magento/AdminNotification/view/adminhtml/templates/notification/window.phtml
Lines changed: 3 additions & 7 deletions
diff --git a/‎app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml
Lines changed: 15 additions & 17 deletions b/‎app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml
Lines changed: 15 additions & 17 deletions
diff --git a/‎app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml
Lines changed: 5 additions & 7 deletions b/‎app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages/popup.phtml
Lines changed: 5 additions & 7 deletions
diff --git a/‎app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml
Lines changed: 44 additions & 47 deletions b/‎app/code/Magento/AdminNotification/view/adminhtml/templates/toolbar_entry.phtml
Lines changed: 44 additions & 47 deletions
diff --git a/‎app/code/Magento/AdvancedPricingImportExport/composer.json
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/AdvancedPricingImportExport/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/CollectionTimeLabelTest.php
Lines changed: 9 additions & 0 deletions b/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/CollectionTimeLabelTest.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/SubscriptionStatusLabelTest.php
Lines changed: 9 additions & 0 deletions b/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/SubscriptionStatusLabelTest.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/VerticalTest.php
Lines changed: 9 additions & 0 deletions b/‎app/code/Magento/Analytics/Test/Unit/Block/Adminhtml/System/Config/VerticalTest.php
Lines changed: 9 additions & 0 deletions
diff --git a/‎app/code/Magento/Analytics/composer.json
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Analytics/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Authorization/composer.json
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Authorization/composer.json
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/code/Magento/Authorizenet/composer.json
Lines changed: 1 addition & 1 deletion b/‎app/code/Magento/Authorizenet/composer.json
Lines changed: 1 addition & 1 deletion
@@ -25,6 +25,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var \Magento\Framework\Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +82,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param \Magento\Framework\Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,7 +96,8 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        \Magento\Framework\Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
         $this->_backendConfig    = $backendConfig;
@@ -99,12 +106,16 @@ public function __construct(
         $this->_deploymentConfig = $deploymentConfig;
         $this->productMetadata   = $productMetadata;
         $this->urlBuilder        = $urlBuilder;
+        $this->escaper = $escaper ?? \Magento\Framework\App\ObjectManager::getInstance()->get(
+            \Magento\Framework\Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -255,6 +266,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }
@@ -2,7 +2,7 @@
     "name": "magento/module-admin-notification",
     "description": "N/A",
     "require": {
-        "php": "~7.0.13|~7.1.0",
+        "php": "~7.0.13|~7.1.0|~7.2.0",
         "magento/module-store": "100.2.*",
         "magento/module-backend": "100.2.*",
         "magento/module-media-storage": "100.2.*",
 
@@ -4,10 +4,6 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
-?>
-<?php
 /**
  * @see \Magento\AdminNotification\Block\Window
  */
@@ -19,11 +15,11 @@
             "autoOpen": true,
             "buttons": false,
             "modalClass": "modal-system-messages",
-            "title": "<?= /* @escapeNotVerified */ $block->getHeaderText() ?>"
+            "title": "<?= $block->escapeHtmlAttr($block->getHeaderText()) ?>"
         }
     }'>
     <li class="message message-warning warning">
-        <?= /* @escapeNotVerified */ $block->getNoticeMessageText() ?><br/>
-        <a href="<?= /* @escapeNotVerified */ $block->getNoticeMessageUrl() ?>"><?= /* @escapeNotVerified */ $block->getReadDetailsText() ?></a>
+        <?= $block->escapeHtml($block->getNoticeMessageText()) ?><br/>
+        <a href="<?= $block->escapeUrl($block->getNoticeMessageUrl()) ?>"><?= $block->escapeHtml($block->getReadDetailsText()) ?></a>
     </li>
 </ul>
@@ -4,41 +4,39 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages */ ?>
 
 <?php $lastCritical = $block->getLastCritical();?>
-<div id="system_messages" class="message-system<?php if ($lastCritical): ?> message-system-unread<?php endif; ?>">
+<div id="system_messages" class="message-system<?php if ($lastCritical) : ?> message-system-unread<?php endif; ?>">
     <div class="message-system-inner">
-        <?php if ($lastCritical): ?>
+        <?php if ($lastCritical) : ?>
             <ul class="message-system-list">
                 <li class="message message-warning error">
-                    <?= /* @escapeNotVerified */ $lastCritical->getText() ?>
+                    <?= $block->escapeHtml($lastCritical->getText()) ?>
                 </li>
             </ul>
         <?php endif; ?>
         <div class="message-system-short">
             <span class="message-system-short-label">
-                <?= /* @escapeNotVerified */ __('System Messages:') ?>
+                <?= $block->escapeHtml(__('System Messages:')) ?>
             </span>
 
-            <?php if ($block->getCriticalCount()): ?>
+            <?php if ($block->getCriticalCount()) : ?>
                 <div class="message message-warning error">
                     <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Critical System Messages')) ?>">
-                        <?= /* @escapeNotVerified */ $block->getCriticalCount() ?>
+                        <?= $block->escapeHtml($block->getCriticalCount()) ?>
                     </a>
                 </div>
-            <?php endif;?>
+            <?php endif; ?>
 
-            <?php if ($block->getMajorCount()): ?>
-               <div class="message message-warning warning">
-                   <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
-                       <?= /* @escapeNotVerified */ $block->getMajorCount() ?>
-                   </a>
-               </div>
-            <?php endif;?>
+            <?php if ($block->getMajorCount()) : ?>
+                <div class="message message-warning warning">
+                    <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
+                        <?= $block->escapeHtml($block->getMajorCount()) ?>
+                    </a>
+                </div>
+            <?php endif; ?>
         </div>
         <div id="message-system-all" title="<?= $block->escapeHtml(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtml($block->getSystemMessageDialogJson()) ?>'></div>
     </div>
 
@@ -4,16 +4,14 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */
 ?>
-<?php /** @var $block \Magento\AdminNotification\Block\System\Messages\UnreadMessagePopup */ ?>
 
-<div style="display:none" id="system_messages_list" data-role="system_messages_list" title="<?= $block->escapeHtml($block->getPopupTitle()) ?>">
+<div style="display:none" id="system_messages_list" data-role="system_messages_list" title="<?= $block->escapeHtmlAttr($block->getPopupTitle()) ?>">
     <ul class="message-system-list messages">
-        <?php foreach ($block->getUnreadMessages() as $message): ?>
-            <li class="message message-warning <?= /* @escapeNotVerified */ $block->getItemClass($message) ?>">
-                <?= /* @escapeNotVerified */ $message->getText() ?>
+        <?php foreach ($block->getUnreadMessages() as $message) : ?>
+            <li class="message message-warning <?= $block->escapeHtmlAttr($block->getItemClass($message)) ?>">
+                <?= $block->escapeHtml($message->getText()) ?>
             </li>
         <?php endforeach;?>
     </ul>
 
@@ -4,81 +4,78 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
+/** @var $this \Magento\AdminNotification\Block\ToolbarEntry */
 
-?>
-<?php /** @var $this \Magento\AdminNotification\Block\ToolbarEntry */ ?>
-<?php
     $notificationCount = $block->getUnreadNotificationCount();
     $notificationCounterMax = $block->getNotificationCounterMax();
 ?>
 <div
     data-mage-init='{"toolbarEntry": {}}'
     class="notifications-wrapper admin__action-dropdown-wrap"
-    data-notification-count="<?= /* @escapeNotVerified */ $notificationCount ?>">
+    data-notification-count="<?= (int)$notificationCount ?>">
     <?php if ($notificationCount > 0) : ?>
         <a
-            href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
+            href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
             class="notifications-action admin__action-dropdown"
             data-mage-init='{"dropdown":{}}'
-            title="<?= /* @escapeNotVerified */ __('Notifications') ?>"
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>"
             data-toggle="dropdown">
             <span class="notifications-counter">
-                <?= /* @escapeNotVerified */ ($notificationCount > $notificationCounterMax) ? $notificationCounterMax . '+' : $notificationCount ?>
+                <?= /* @noEscape */ ($notificationCount > $notificationCounterMax) ? (int)$notificationCounterMax . '+' : (int)$notificationCount ?>
             </span>
         </a>
         <ul
             class="admin__action-dropdown-menu"
-            data-mark-as-read-url="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/ajaxMarkAsRead') ?>">
+            data-mark-as-read-url="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/ajaxMarkAsRead')) ?>">
             <?php foreach ($block->getLatestUnreadNotifications() as $notification) : ?>
-            <?php /** @var $notification \Magento\AdminNotification\Model\Inbox*/ ?>
-            <li class="notifications-entry<?php if ($notification->getSeverity() == 1): ?> notifications-critical<?php endif; ?>"
-                data-notification-id="<?= /* @escapeNotVerified */ $notification->getId() ?>"
-                data-notification-severity="<?php if ($notification->getSeverity() == 1): ?>1<?php endif; ?>">
-                <?php
-                    $notificationDescription = $block->escapeHtml($notification->getDescription());
-                    $notificationDescriptionLength = $block->getNotificationDescriptionLength();
-                ?>
-                <strong class="notifications-entry-title">
-                    <?= $block->escapeHtml($notification->getTitle()) ?>
-                </strong>
-                <?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
-                    <p class="notifications-entry-description _cutted">
-                        <span class="notifications-entry-description-start">
-                            <?= /* @escapeNotVerified */ substr($notificationDescription, 0, $notificationDescriptionLength) ?>
-                        </span>
-                        <span class="notifications-entry-description-end">
-                            <?= /* @escapeNotVerified */ substr($notificationDescription, $notificationDescriptionLength) ?>
-                        </span>
-                    </p>
-                <?php else : ?>
-                    <p class="notifications-entry-description">
-                        <?= /* @escapeNotVerified */ $notificationDescription ?>
-                    </p>
-                <?php endif; ?>
-                <time class="notifications-entry-time">
-                    <?= /* @escapeNotVerified */ $block->formatNotificationDate($notification->getDateAdded()) ?>
-                </time>
-                <button
-                    type="button"
-                    class="notifications-close"
-                    title="<?= /* @escapeNotVerified */ __('Close') ?>"
-                    ></button>
-            </li>
+                <?php /** @var $notification \Magento\AdminNotification\Model\Inbox */ ?>
+                <li class="notifications-entry<?php if ($notification->getSeverity() == 1) : ?> notifications-critical<?php endif; ?>"
+                    data-notification-id="<?= $block->escapeHtmlAttr($notification->getId()) ?>"
+                    data-notification-severity="<?php if ($notification->getSeverity() == 1) : ?>1<?php endif; ?>">
+                    <?php
+                        $notificationDescription = $notification->getDescription();
+                        $notificationDescriptionLength = $block->getNotificationDescriptionLength();
+                    ?>
+                    <strong class="notifications-entry-title">
+                        <?= $block->escapeHtml($notification->getTitle()) ?>
+                    </strong>
+                    <?php if (strlen($notificationDescription) > $notificationDescriptionLength) : ?>
+                        <p class="notifications-entry-description _cutted">
+                            <span class="notifications-entry-description-start">
+                                <?= $block->escapeHtml(substr($notificationDescription, 0, $notificationDescriptionLength)) ?>
+                            </span>
+                            <span class="notifications-entry-description-end">
+                                <?= $block->escapeHtml(substr($notificationDescription, $notificationDescriptionLength)) ?>
+                            </span>
+                        </p>
+                    <?php else : ?>
+                        <p class="notifications-entry-description">
+                            <?= $block->escapeHtml($notificationDescription) ?>
+                        </p>
+                    <?php endif; ?>
+                    <time class="notifications-entry-time">
+                        <?= $block->escapeHtml($block->formatNotificationDate($notification->getDateAdded())) ?>
+                    </time>
+                    <button
+                        type="button"
+                        class="notifications-close"
+                        title="<?= $block->escapeHtmlAttr(__('Close')) ?>"
+                        ></button>
+                </li>
             <?php endforeach; ?>
             <li class="notifications-entry notifications-entry-last">
                 <a
-                    href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
+                    href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
                     class="action-tertiary action-more">
-                    <?= /* @escapeNotVerified */ __('See All (') ?><span class="notifications-counter"><?= /* @escapeNotVerified */ $notificationCount ?></span><?= /* @escapeNotVerified */ __(' unread)') ?>
+                    <?= $block->escapeHtml(__('See All (')) ?><span class="notifications-counter"><?= (int)$notificationCount ?></span><?= $block->escapeHtml(__(' unread)')) ?>
                 </a>
             </li>
         </ul>
     <?php else : ?>
         <a
             class="notifications-action admin__action-dropdown"
-            href="<?= /* @escapeNotVerified */ $block->getUrl('adminhtml/notification/index') ?>"
-            title="<?= /* @escapeNotVerified */ __('Notifications') ?>">
+            href="<?= $block->escapeUrl($block->getUrl('adminhtml/notification/index')) ?>"
+            title="<?= $block->escapeHtmlAttr(__('Notifications')) ?>">
         </a>
     <?php endif; ?>
 </div>
@@ -2,7 +2,7 @@
     "name": "magento/module-advanced-pricing-import-export",
     "description": "N/A",
     "require": {
-        "php": "~7.0.13|~7.1.0",
+        "php": "~7.0.13|~7.1.0|~7.2.0",
         "magento/module-catalog": "102.0.*",
         "magento/module-catalog-inventory": "100.2.*",
         "magento/module-eav": "101.0.*",
 
@@ -40,6 +40,15 @@ protected function setUp()
             ->setMethods(['getComment', 'getHtmlId', 'getName'])
             ->disableOriginalConstructor()
             ->getMock();
+
+        $objectManager = new ObjectManager($this);
+        $escaper = $objectManager->getObject(\Magento\Framework\Escaper::class);
+        $objectManager->setBackwardCompatibleProperty(
+            $this->abstractElementMock,
+            '_escaper',
+            $escaper
+        );
+
         $this->contextMock = $this->getMockBuilder(Context::class)
             ->setMethods(['getLocaleDate'])
             ->disableOriginalConstructor()
 
@@ -54,6 +54,15 @@ protected function setUp()
             ->setMethods(['getComment', 'getHtmlId', 'getName'])
             ->disableOriginalConstructor()
             ->getMock();
+
+        $objectManager = new ObjectManager($this);
+        $escaper = $objectManager->getObject(\Magento\Framework\Escaper::class);
+        $objectManager->setBackwardCompatibleProperty(
+            $this->abstractElementMock,
+            '_escaper',
+            $escaper
+        );
+
         $this->formMock = $this->getMockBuilder(Form::class)
             ->disableOriginalConstructor()
             ->getMock();
 
@@ -39,6 +39,15 @@ protected function setUp()
             ->setMethods(['getComment', 'getLabel', 'getHint', 'getHtmlId', 'getName'])
             ->disableOriginalConstructor()
             ->getMock();
+
+        $objectManager = new ObjectManager($this);
+        $escaper = $objectManager->getObject(\Magento\Framework\Escaper::class);
+        $objectManager->setBackwardCompatibleProperty(
+            $this->abstractElementMock,
+            '_escaper',
+            $escaper
+        );
+
         $this->contextMock = $this->getMockBuilder(Context::class)
             ->disableOriginalConstructor()
             ->getMock();
 
@@ -2,7 +2,7 @@
     "name": "magento/module-analytics",
     "description": "N/A",
     "require": {
-        "php": "~7.0.13|~7.1.0",
+        "php": "~7.0.13|~7.1.0|~7.2.0",
         "magento/module-backend": "100.2.*",
         "magento/module-config": "101.0.*",
         "magento/module-integration": "100.2.*",
 
@@ -2,7 +2,7 @@
     "name": "magento/module-authorization",
     "description": "Authorization module provides access to Magento ACL functionality.",
     "require": {
-        "php": "~7.0.13|~7.1.0",
+        "php": "~7.0.13|~7.1.0|~7.2.0",
         "magento/module-backend": "100.2.*",
         "magento/framework": "101.0.*"
     },
 
@@ -2,7 +2,7 @@
     "name": "magento/module-authorizenet",
     "description": "N/A",
     "require": {
-        "php": "~7.0.13|~7.1.0",
+        "php": "~7.0.13|~7.1.0|~7.2.0",
         "magento/module-sales": "101.0.*",
         "magento/module-store": "100.2.*",
         "magento/module-quote": "101.0.*",