Merge pull request #4841 from magento-borg/MC-18153

[Borg] MC-18153: Correct phtml templates

app/code/Magento/AdminNotification/view/adminhtml/templates/system/messages.phtml

@@ -26,20 +26,20 @@
 
             <?php if ($block->getCriticalCount()) : ?>
                 <div class="message message-warning error">
-                    <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Critical System Messages')) ?>">
+                    <a class="message-link" href="#" title="<?= $block->escapeHtmlAttr(__('Critical System Messages')) ?>">
                         <?= (int) $block->getCriticalCount() ?>
                     </a>
                 </div>
             <?php endif; ?>
 
             <?php if ($block->getMajorCount()) : ?>
                <div class="message message-warning warning">
-                   <a class="message-link" href="#" title="<?= $block->escapeHtml(__('Major System Messages')) ?>">
+                   <a class="message-link" href="#" title="<?= $block->escapeHtmlAttr(__('Major System Messages')) ?>">
                        <?= (int) $block->getMajorCount() ?>
                    </a>
                </div>
             <?php endif; ?>
         </div>
-        <div id="message-system-all" title="<?= $block->escapeHtml(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtml($block->getSystemMessageDialogJson()) ?>'></div>
+        <div id="message-system-all" title="<?= $block->escapeHtmlAttr(__('System messages')) ?>" data-mage-init='<?= $block->escapeHtmlAttr($block->getSystemMessageDialogJson()) ?>'></div>
     </div>
 </div>

app/code/Magento/AdvancedSearch/view/adminhtml/templates/system/config/testconnection.phtml

@@ -4,11 +4,11 @@
  * See COPYING.txt for license details.
  */
 ?>
-<button class="scalable" type="button" id="<?= $block->getHtmlId() ?>" data-mage-init='{"testConnection":{
+<button class="scalable" type="button" id="<?= /* @noEscape */ $block->getHtmlId() ?>" data-mage-init='{"testConnection":{
     "url": "<?= $block->escapeUrl($block->getAjaxUrl()) ?>",
-    "elementId": "<?= $block->getHtmlId() ?>",
+    "elementId": "<?= /* @noEscape */ $block->getHtmlId() ?>",
     "successText": "<?= $block->escapeHtmlAttr(__('Successful! Test again?')) ?>",
     "failedText": "<?= $block->escapeHtmlAttr(__('Connection failed! Test again?')) ?>",
     "fieldMapping": "<?= /* @noEscape */ $block->getFieldMapping() ?>"}, "validation": {}}'>
-    <span id="<?= $block->getHtmlId() ?>_result"><?= $block->escapeHtml($block->getButtonLabel()) ?></span>
+    <span id="<?= /* @noEscape */ $block->getHtmlId() ?>_result"><?= $block->escapeHtml($block->getButtonLabel()) ?></span>
 </button>

app/code/Magento/Authorizenet/view/adminhtml/templates/directpost/info.phtml

@@ -41,7 +41,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
                         }">
                 <option value=""><?= $block->escapeHtml(__('Please Select')) ?></option>
                 <?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName) : ?>
-                    <option value="<?= $block->escapeHtml($typeCode) ?>"
+                    <option value="<?= $block->escapeHtmlAttr($typeCode) ?>"
                             <?php if ($typeCode == $ccType) : ?>selected="selected"<?php endif; ?>>
                         <?= $block->escapeHtml($typeName) ?>
                     </option>
@@ -81,7 +81,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
                         'validate-cc-exp':'#<?= /* @noEscape */ $code ?>_expiration_yr'
                         }">
                 <?php foreach ($block->getCcMonths() as $k => $v) : ?>
-                    <option value="<?= $block->escapeHtml($k) ?>"
+                    <option value="<?= $block->escapeHtmlAttr($k) ?>"
                             <?php if ($k == $ccExpMonth) : ?>selected="selected"<?php endif; ?>>
                         <?= $block->escapeHtml($v) ?>
                     </option>
@@ -93,7 +93,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
                     data-container="<?= /* @noEscape */ $code ?>-cc-year"
                     data-validate="{required:true}">
                 <?php foreach ($block->getCcYears() as $k => $v) : ?>
-                    <option value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
+                    <option value="<?= /* @noEscape */ $k ? $block->escapeHtmlAttr($k) : '' ?>"
                             <?php if ($k == $ccExpYear) : ?>selected="selected"<?php endif; ?>>
                         <?= $block->escapeHtml($v) ?>
                     </option>
@@ -113,7 +113,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
         <div class="admin__field-control">
             <input type="text"
                    data-container="<?= /* @noEscape */ $code ?>-cc-cvv"
-                   title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
+                   title="<?= $block->escapeHtmlAttr(__('Card Verification Number')) ?>"
                    class="admin__control-text cvv"
                    id="<?= /* @noEscape */ $code ?>_cc_cid" name="payment[cc_cid]"
                    value="<?= /* @noEscape */ $block->getInfoData('cc_cid') ?>"

app/code/Magento/AuthorizenetAcceptjs/view/adminhtml/templates/form/cc.phtml

@@ -23,7 +23,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
                     class="required-entry validate-cc-type-select admin__control-select">
                 <option value=""></option>
                 <?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName) : ?>
-                    <option value="<?= $block->escapeHtml($typeCode) ?>" <?php if ($typeCode == $ccType) : ?>selected="selected"<?php endif ?>>
+                    <option value="<?= $block->escapeHtmlAttr($typeCode) ?>" <?php if ($typeCode == $ccType) : ?>selected="selected"<?php endif ?>>
                         <?= $block->escapeHtml($typeName) ?>
                     </option>
                 <?php endforeach ?>
@@ -36,7 +36,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
         </label>
         <div class="admin__field-control">
             <input type="text" id="<?= /* @noEscape */ $code ?>_cc_number" name="payment[cc_number]"
-                   title="<?= $block->escapeHtml(__('Credit Card Number')) ?>" class="admin__control-text validate-cc-number"
+                   title="<?= $block->escapeHtmlAttr(__('Credit Card Number')) ?>" class="admin__control-text validate-cc-number"
                    value="<?= /* @noEscape */ $block->getInfoData('cc_number') ?>"/>
         </div>
     </div>
@@ -48,7 +48,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
             <select id="<?= /* @noEscape */ $code ?>_cc_exp_month" name="payment[cc_exp_month]"
                     class="admin__control-select admin__control-select-month validate-cc-exp required-entry">
                 <?php foreach ($block->getCcMonths() as $k => $v) : ?>
-                    <option value="<?= $block->escapeHtml($k) ?>"
+                    <option value="<?= $block->escapeHtmlAttr($k) ?>"
                             <?php if ($k == $ccExpMonth) : ?>selected="selected"<?php endif ?>>
                         <?= $block->escapeHtml($v) ?>
                     </option>
@@ -72,7 +72,7 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
                 <span><?= $block->escapeHtml(__('Card Verification Number')) ?></span>
             </label>
             <div class="admin__field-control">
-                <input type="text" title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
+                <input type="text" title="<?= $block->escapeHtmlAttr(__('Card Verification Number')) ?>"
                        class="required-entry validate-cc-cvn admin__control-cvn admin__control-text"
                        id="<?= /* @noEscape */ $code ?>_cc_cid"
                        name="payment[cc_cid]" value="<?= /* @noEscape */ $block->getInfoData('cc_cid') ?>"/>

app/code/Magento/Backend/view/adminhtml/templates/admin/access_denied.phtml

@@ -24,7 +24,7 @@
                     <a href="<?= $block->escapeUrl($_SERVER['HTTP_REFERER']) ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
                 <?php else : ?>
-                    <a href="<?= $block->escapeHtmlAttr('javascript:history.back()') ?>">
+                    <a href="<?= $block->escapeUrl('javascript:history.back()') ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
                 <?php endif ?>
             </span>

app/code/Magento/Backend/view/adminhtml/templates/dashboard/graph.phtml

@@ -6,9 +6,9 @@
 ?>
 <div class="dashboard-diagram">
     <div class="dashboard-diagram-switcher">
-        <label for="order_<?= $block->getHtmlId() ?>_period"
+        <label for="order_<?= /* @noEscape */ $block->getHtmlId() ?>_period"
                class="label"><?= $block->escapeHtml(__('Select Range:')) ?></label>
-        <select name="period" id="order_<?= $block->getHtmlId() ?>_period"
+        <select name="period" id="order_<?= /* @noEscape */ $block->getHtmlId() ?>_period"
                 onchange="changeDiagramsPeriod(this);" class="admin__control-select">
             <?php //phpcs:disable ?>
             <?php foreach ($this->helper(\Magento\Backend\Helper\Dashboard\Data::class)->getDatePeriods() as $value => $label) : ?>

app/code/Magento/Backend/view/adminhtml/templates/media/uploader.phtml

@@ -7,7 +7,7 @@
 /** @var $block \Magento\Backend\Block\Media\Uploader */
 ?>
 
-<div id="<?= $block->getHtmlId() ?>" class="uploader"
+<div id="<?= /* @noEscape */ $block->getHtmlId() ?>" class="uploader"
     data-mage-init='{
         "Magento_Backend/js/media-uploader" : {
             "maxFileSize": <?= /* @noEscape */ $block->getFileSizeService()->getMaxFileSize() ?>,
@@ -20,10 +20,10 @@
     <div class="fileinput-button form-buttons button">
         <span><?= $block->escapeHtml(__('Browse Files...')) ?></span>
         <input id="fileupload" type="file" name="<?= $block->escapeHtmlAttr($block->getConfig()->getFileField()) ?>"
-            data-url="<?= $block->escapeHtmlAttr($block->getConfig()->getUrl()) ?>" multiple="multiple" />
+            data-url="<?= $block->escapeUrl($block->getConfig()->getUrl()) ?>" multiple="multiple" />
     </div>
     <div class="clear"></div>
-    <script id="<?= $block->getHtmlId() ?>-template" type="text/x-magento-template" data-template="uploader">
+    <script id="<?= /* @noEscape */ $block->getHtmlId() ?>-template" type="text/x-magento-template" data-template="uploader">
         <div id="<%- data.id %>" class="file-row">
             <span class="file-info"><%- data.name %> (<%- data.size %>)</span>
             <div class="progressbar-container">

app/code/Magento/Backend/view/adminhtml/templates/page/header.phtml

@@ -15,14 +15,14 @@ $part = $block->getShowPart();
             <?= /* @noEscape */ $edition ?>
             class="logo">
             <img class="logo-img" src="<?= /* @noEscape */ $block->getViewFileUrl($logoSrc) ?>"
-            alt="<?= $block->escapeHtml(__('Magento Admin Panel')) ?>" title="<?= $block->escapeHtml(__('Magento Admin Panel')) ?>"/>
+            alt="<?= $block->escapeHtmlAttr(__('Magento Admin Panel')) ?>" title="<?= $block->escapeHtmlAttr(__('Magento Admin Panel')) ?>"/>
         </a>
 <?php elseif ($part === 'user') : ?>
         <div class="admin-user admin__action-dropdown-wrap">
             <a
                 href="<?= /* @noEscape */ $block->getUrl('adminhtml/system_account/index') ?>"
                 class="admin__action-dropdown"
-                title="<?= $block->escapeHtml(__('My Account')) ?>"
+                title="<?= $block->escapeHtmlAttr(__('My Account')) ?>"
                 data-mage-init='{"dropdown":{}}'
                 data-toggle="dropdown">
                 <span class="admin__action-dropdown-text">
@@ -35,15 +35,15 @@ $part = $block->getShowPart();
                     <a
                         href="<?= /* @noEscape */ $block->getUrl('adminhtml/system_account/index') ?>"
                         <?= /* @noEscape */ $block->getUiId('user', 'account', 'settings') ?>
-                        title="<?= $block->escapeHtml(__('Account Setting')) ?>">
+                        title="<?= $block->escapeHtmlAttr(__('Account Setting')) ?>">
                         <?= $block->escapeHtml(__('Account Setting')) ?> (<span class="admin-user-name"><?= $block->escapeHtml($block->getUser()->getUserName()) ?></span>)
                     </a>
                 </li>
                 <?php endif; ?>
                 <li>
                     <a
                         href="<?= /* @noEscape */ $block->getBaseUrl() ?>"
-                        title="<?= $block->escapeHtml(__('Customer View')) ?>"
+                        title="<?= $block->escapeHtmlAttr(__('Customer View')) ?>"
                         target="_blank" class="store-front">
                         <?= $block->escapeHtml(__('Customer View')) ?>
                     </a>
@@ -52,7 +52,7 @@ $part = $block->getShowPart();
                     <a
                         href="<?= /* @noEscape */ $block->getLogoutLink() ?>"
                         class="account-signout"
-                        title="<?= $block->escapeHtml(__('Sign Out')) ?>">
+                        title="<?= $block->escapeHtmlAttr(__('Sign Out')) ?>">
                         <?= $block->escapeHtml(__('Sign Out')) ?>
                     </a>
                 </li>

app/code/Magento/Backend/view/adminhtml/templates/store/switcher.phtml

@@ -13,15 +13,15 @@
     <div class="actions dropdown closable">
         <input type="hidden" name="store_switcher" id="store_switcher"
                data-role="store-view-id" data-param="<?= $block->escapeHtmlAttr($block->getStoreVarName()) ?>"
-               value="<?= $block->escapeHtml($block->getStoreId()) ?>"
+               value="<?= $block->escapeHtmlAttr($block->getStoreId()) ?>"
                onchange="switchScope(this);"<?= /* @noEscape */ $block->getUiId() ?> />
         <input type="hidden" name="store_group_switcher" id="store_group_switcher"
                data-role="store-group-id" data-param="<?= $block->escapeHtmlAttr($block->getStoreGroupVarName()) ?>"
-               value="<?= $block->escapeHtml($block->getStoreGroupId()) ?>"
+               value="<?= $block->escapeHtmlAttr($block->getStoreGroupId()) ?>"
                onchange="switchScope(this);"<?= /* @noEscape */ $block->getUiId() ?> />
         <input type="hidden" name="website_switcher" id="website_switcher"
                data-role="website-id" data-param="<?= $block->escapeHtmlAttr($block->getWebsiteVarName()) ?>"
-               value="<?= $block->escapeHtml($block->getWebsiteId()) ?>"
+               value="<?= $block->escapeHtmlAttr($block->getWebsiteId()) ?>"
                onchange="switchScope(this);"<?= /* @noEscape */ $block->getUiId() ?> />
         <button
             type="button"
@@ -53,7 +53,7 @@
                             <?php $showWebsite = true; ?>
                             <li class="store-switcher-website <?php if (!($block->isWebsiteSwitchEnabled() && ! $block->isWebsiteSelected($website))) : ?>disabled<?php endif; ?> <?php if ($block->isWebsiteSelected($website)) : ?>current<?php endif; ?>">
                                 <?php if ($block->isWebsiteSwitchEnabled() && ! $block->isWebsiteSelected($website)) : ?>
-                                    <a data-role="website-id" data-value="<?= $block->escapeHtml($website->getId()) ?>" href="#">
+                                    <a data-role="website-id" data-value="<?= $block->escapeHtmlAttr($website->getId()) ?>" href="#">
                                         <?= $block->escapeHtml($website->getName()) ?>
                                     </a>
                                 <?php else : ?>
@@ -65,7 +65,7 @@
                             <?php $showGroup = true; ?>
                             <li class="store-switcher-store <?php if (!($block->isStoreGroupSwitchEnabled() && ! $block->isStoreGroupSelected($group))) : ?>disabled<?php endif; ?> <?php if ($block->isStoreGroupSelected($group)) : ?>current<?php endif; ?>">
                                 <?php if ($block->isStoreGroupSwitchEnabled() && ! $block->isStoreGroupSelected($group)) : ?>
-                                    <a data-role="store-group-id" data-value="<?= $block->escapeHtml($group->getId()) ?>" href="#">
+                                    <a data-role="store-group-id" data-value="<?= $block->escapeHtmlAttr($group->getId()) ?>" href="#">
                                         <?= $block->escapeHtml($group->getName()) ?>
                                     </a>
                                 <?php else : ?>
@@ -75,7 +75,7 @@
                         <?php endif; ?>
                         <li class="store-switcher-store-view <?php if (!($block->isStoreSwitchEnabled() && !$block->isStoreSelected($store))) : ?>disabled<?php endif; ?> <?php if ($block->isStoreSelected($store)) :?>current<?php endif; ?>">
                             <?php if ($block->isStoreSwitchEnabled() && ! $block->isStoreSelected($store)) : ?>
-                                <a data-role="store-view-id" data-value="<?= $block->escapeHtml($store->getId()) ?>" href="#">
+                                <a data-role="store-view-id" data-value="<?= $block->escapeHtmlAttr($store->getId()) ?>" href="#">
                                     <?= $block->escapeHtml($store->getName()) ?>
                                 </a>
                             <?php else : ?>

app/code/Magento/Backend/view/adminhtml/templates/store/switcher/form/renderer/fieldset.phtml

@@ -10,7 +10,7 @@
 <?php endif; ?>
 
 <?php if (!$_element->getNoContainer()) : ?>
-    <fieldset class="admin__fieldset fieldset <?= $block->escapeHtmlAttr($_element->getClass()) ?>" id="<?= $_element->getHtmlId() ?>">
+    <fieldset class="admin__fieldset fieldset <?= $block->escapeHtmlAttr($_element->getClass()) ?>" id="<?= /* @noEscape */ $_element->getHtmlId() ?>">
 <?php endif; ?>
 
     <?php if ($_element->getLegend()) : ?>

app/code/Magento/Backend/view/adminhtml/templates/system/cache/additional.phtml

@@ -14,23 +14,23 @@ $permissions = $block->getData('permissions');
         </h2>
         <?php if ($permissions->hasAccessToFlushCatalogImages()) : ?>
             <p>
-                <button onclick="setLocation('<?= $block->escapeJs($block->getCleanImagesUrl()); ?>')" type="button">
+                <button onclick="setLocation('<?= $block->escapeHtmlAttr($block->escapeJs($block->escapeUrl($block->getCleanImagesUrl()))); ?>')" type="button">
                     <?= $block->escapeHtml(__('Flush Catalog Images Cache')); ?>
                 </button>
                 <span><?= $block->escapeHtml(__('Pregenerated product images files')); ?></span>
             </p>
         <?php endif; ?>
         <?php if ($permissions->hasAccessToFlushJsCss()) : ?>
             <p>
-                <button onclick="setLocation('<?= $block->escapeJs($block->getCleanMediaUrl()); ?>')" type="button">
+                <button onclick="setLocation('<?= $block->escapeHtmlAttr($block->escapeJs($block->escapeUrl($block->getCleanMediaUrl()))); ?>')" type="button">
                     <?= $block->escapeHtml(__('Flush JavaScript/CSS Cache')); ?>
                 </button>
                 <span><?= $block->escapeHtml(__('Themes JavaScript and CSS files combined to one file')) ?></span>
             </p>
         <?php endif; ?>
         <?php if (!$block->isInProductionMode() && $permissions->hasAccessToFlushStaticFiles()) : ?>
             <p>
-                <button onclick="setLocation('<?= $block->escapeJs($block->getCleanStaticFilesUrl()); ?>')" type="button">
+                <button onclick="setLocation('<?= $block->escapeHtmlAttr($block->escapeJs($block->escapeUrl($block->getCleanStaticFilesUrl()))); ?>')" type="button">
                     <?= $block->escapeHtml(__('Flush Static Files Cache')); ?>
                 </button>
                 <span><?= $block->escapeHtml(__('Preprocessed view files and static files')); ?></span>

app/code/Magento/Backend/view/adminhtml/templates/widget/accordion.phtml

@@ -11,7 +11,7 @@
 $items = $block->getItems();
 ?>
 <?php if (!empty($items)) : ?>
-    <dl id="tab_content_<?= $block->getHtmlId() ?>" name="tab_content_<?= $block->getHtmlId() ?>" class="accordion">
+    <dl id="tab_content_<?= /* @noEscape */ $block->getHtmlId() ?>" name="tab_content_<?= /* @noEscape */ $block->getHtmlId() ?>" class="accordion">
     <?php foreach ($items as $_item) : ?>
         <?= $block->getChildHtml($_item->getId()) ?>
     <?php endforeach ?>
@@ -20,7 +20,7 @@ $items = $block->getItems();
         require([
             'mage/adminhtml/accordion'
         ], function(){
-            tab_content_<?= $block->getHtmlId() ?>AccordionJs = new varienAccordion('tab_content_<?= $block->getHtmlId() ?>', '<?= $block->escapeJs($block->getShowOnlyOne()) ?>');
+            tab_content_<?= /* @noEscape */ $block->getHtmlId() ?>AccordionJs = new varienAccordion('tab_content_<?= /* @noEscape */ $block->getHtmlId() ?>', '<?= $block->escapeJs($block->getShowOnlyOne()) ?>');
         });
     </script>
 <?php endif; ?>