Merge remote-tracking branch 'upstream/2.3-develop' into project_pepe

Author: lfolco

.github/CONTRIBUTING.md

@@ -11,7 +11,7 @@ The Magento 2 development team or community maintainers will review all issues a
 During the review we might require clarifications from the contributor.
 If there is no response from the contributor within two weeks, the pull request will be closed.
 
-For more detialed information on contribution please read our [beginners guide](https://github.com/magento/magento2/wiki/Getting-Started).
+For more detailed information on contribution please read our [beginners guide](https://github.com/magento/magento2/wiki/Getting-Started).
 
 ## Contribution requirements
 

app/code/Magento/AdminNotification/Model/Feed.php

@@ -5,6 +5,8 @@
  */
 namespace Magento\AdminNotification\Model;
 
+use Magento\Framework\Escaper;
+use Magento\Framework\App\ObjectManager;
 use Magento\Framework\Config\ConfigOptionsListConstants;
 
 /**
@@ -25,6 +27,11 @@ class Feed extends \Magento\Framework\Model\AbstractModel
 
     const XML_LAST_UPDATE_PATH = 'system/adminnotification/last_update';
 
+    /**
+     * @var Escaper
+     */
+    private $escaper;
+
     /**
      * Feed url
      *
@@ -77,6 +84,7 @@ class Feed extends \Magento\Framework\Model\AbstractModel
      * @param \Magento\Framework\Model\ResourceModel\AbstractResource $resource
      * @param \Magento\Framework\Data\Collection\AbstractDb $resourceCollection
      * @param array $data
+     * @param Escaper|null $escaper
      * @SuppressWarnings(PHPMD.ExcessiveParameterList)
      */
     public function __construct(
@@ -90,21 +98,26 @@ public function __construct(
         \Magento\Framework\UrlInterface $urlBuilder,
         \Magento\Framework\Model\ResourceModel\AbstractResource $resource = null,
         \Magento\Framework\Data\Collection\AbstractDb $resourceCollection = null,
-        array $data = []
+        array $data = [],
+        Escaper $escaper = null
     ) {
         parent::__construct($context, $registry, $resource, $resourceCollection, $data);
-        $this->_backendConfig    = $backendConfig;
-        $this->_inboxFactory     = $inboxFactory;
-        $this->curlFactory       = $curlFactory;
+        $this->_backendConfig = $backendConfig;
+        $this->_inboxFactory = $inboxFactory;
+        $this->curlFactory = $curlFactory;
         $this->_deploymentConfig = $deploymentConfig;
-        $this->productMetadata   = $productMetadata;
-        $this->urlBuilder        = $urlBuilder;
+        $this->productMetadata = $productMetadata;
+        $this->urlBuilder = $urlBuilder;
+        $this->escaper = $escaper ?? ObjectManager::getInstance()->get(
+            Escaper::class
+        );
     }
 
     /**
      * Init model
      *
      * @return void
+     * phpcs:disable Magento2.CodeAnalysis.EmptyBlock
      */
     protected function _construct()
     {
@@ -252,6 +265,6 @@ public function getFeedXml()
      */
     private function escapeString(\SimpleXMLElement $data)
     {
-        return htmlspecialchars((string)$data);
+        return $this->escaper->escapeHtml((string)$data);
     }
 }

app/code/Magento/AuthorizenetGraphQl/Model/AuthorizenetDataProvider.php

@@ -9,14 +9,13 @@
 
 use Magento\QuoteGraphQl\Model\Cart\Payment\AdditionalDataProviderInterface;
 use Magento\Framework\Stdlib\ArrayManager;
-use Magento\Framework\GraphQL\DataObjectConverter;
 
 /**
  * DataProvider Model for Authorizenet
  */
 class AuthorizenetDataProvider implements AdditionalDataProviderInterface
 {
-    private const PATH_ADDITIONAL_DATA = 'input/payment_method/additional_data/authorizenet_acceptjs';
+    private const PATH_ADDITIONAL_DATA = 'authorizenet_acceptjs';
 
     /**
      * @var ArrayManager
@@ -36,12 +35,12 @@ public function __construct(
     /**
      * Return additional data
      *
-     * @param array $args
+     * @param array $data
      * @return array
      */
-    public function getData(array $args): array
+    public function getData(array $data): array
     {
-        $additionalData = $this->arrayManager->get(static::PATH_ADDITIONAL_DATA, $args) ?? [];
+        $additionalData = $this->arrayManager->get(static::PATH_ADDITIONAL_DATA, $data) ?? [];
         foreach ($additionalData as $key => $value) {
             $additionalData[$this->snakeCaseToCamelCase($key)] = $value;
             unset($additionalData[$key]);

app/code/Magento/Backend/Test/Mftf/Section/AdminHeaderSection.xml

@@ -13,5 +13,7 @@
         <element name="adminUserAccountText" type="text" selector=".page-header .admin-user-account-text" />
         <!-- Legacy heading section. Mostly used for admin 404 and 403 pages -->
         <element name="pageHeading" type="text" selector=".page-content .page-heading"/>
+        <!-- Used for page not found error -->
+        <element name="pageNotFoundTitle" type="text" selector=".page-title span"/>
     </section>
 </sections>

app/code/Magento/Backend/Test/Mftf/Test/AdminLoginTest.xml

@@ -20,11 +20,8 @@
             <group value="login"/>
         </annotations>
 
-        <amOnPage url="{{AdminLoginPage.url}}" stepKey="amOnAdminLoginPage"/>
-        <fillField selector="{{AdminLoginFormSection.username}}" userInput="{{_ENV.MAGENTO_ADMIN_USERNAME}}" stepKey="fillUsername"/>
-        <fillField selector="{{AdminLoginFormSection.password}}" userInput="{{_ENV.MAGENTO_ADMIN_PASSWORD}}" stepKey="fillPassword"/>
-        <click selector="{{AdminLoginFormSection.signIn}}" stepKey="clickOnSignIn"/>
-        <closeAdminNotification stepKey="closeAdminNotification"/>
+        <actionGroup ref="LoginAsAdmin" stepKey="loginAsAdmin"/>
         <seeInCurrentUrl url="{{AdminLoginPage.url}}" stepKey="seeAdminLoginUrl"/>
+        <actionGroup ref="logout" stepKey="logoutFromAdmin"/>
     </test>
 </tests>

app/code/Magento/Backend/view/adminhtml/templates/admin/access_denied.phtml

@@ -3,14 +3,13 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <?php
 /**
  * @see \Magento\Backend\Block\Denied
  */
+
+// phpcs:disable Magento2.Security.Superglobal
 ?>
 <hr class="access-denied-hr"/>
 <div class="access-denied-page">
@@ -21,10 +20,10 @@
         <li><span><?= $block->escapeHtml(__('Contact a system administrator or store owner to gain permissions.')) ?></span></li>
         <li>
             <span><?= $block->escapeHtml(__('Return to ')) ?>
-                <?php if(isset($_SERVER['HTTP_REFERER'])): ?>
+                <?php if (isset($_SERVER['HTTP_REFERER'])) : ?>
                     <a href="<?= $block->escapeUrl(__($_SERVER['HTTP_REFERER'])) ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
-                <?php else: ?>
+                <?php else : ?>
                     <a href="<?= $block->escapeHtmlAttr(__('javascript:history.back()')) ?>">
                         <?= $block->escapeHtml(__('previous page')) ?></a><?= $block->escapeHtml(__('.')) ?>
                 <?php endif ?>

app/code/Magento/Backend/view/adminhtml/templates/admin/formkey.phtml

@@ -4,4 +4,4 @@
  * See COPYING.txt for license details.
  */
 ?>
-<div><input name="form_key" type="hidden" value="<?= /* @escapeNotVerified */ $block->getFormKey() ?>" /></div>
+<div><input name="form_key" type="hidden" value="<?= $block->escapeHtmlAttr($block->getFormKey()) ?>" /></div>

app/code/Magento/Backend/view/adminhtml/templates/admin/login.phtml

@@ -4,19 +4,20 @@
  * See COPYING.txt for license details.
  */
 
-// @codingStandardsIgnoreFile
-
+/**
+ * @var \Magento\Framework\View\Element\AbstractBlock $block
+ */
 ?>
 
 <form method="post" action="" id="login-form" data-mage-init='{"form": {}, "validation": {}}' autocomplete="off">
     <fieldset class="admin__fieldset">
         <legend class="admin__legend">
-            <span><?= /* @escapeNotVerified */ __('Welcome, please sign in') ?></span>
+            <span><?= $block->escapeHtml(__('Welcome, please sign in')) ?></span>
         </legend><br/>
-        <input name="form_key" type="hidden" value="<?= /* @escapeNotVerified */ $block->getFormKey() ?>" />
+        <input name="form_key" type="hidden" value="<?= $block->escapeHtmlAttr($block->getFormKey()) ?>" />
         <div class="admin__field _required field-username">
             <label for="username" class="admin__field-label">
-                <span><?= /* @escapeNotVerified */ __('Username') ?></span>
+                <span><?= $block->escapeHtml(__('Username')) ?></span>
             </label>
             <div class="admin__field-control">
                 <input id="username"
@@ -26,14 +27,14 @@
                        autofocus
                        value=""
                        data-validate="{required:true}"
-                       placeholder="<?= /* @escapeNotVerified */ __('user name') ?>"
+                       placeholder="<?= $block->escapeHtmlAttr(__('user name')) ?>"
                        autocomplete="off"
                     />
             </div>
         </div>
         <div class="admin__field _required field-password">
             <label for="login" class="admin__field-label">
-                <span><?= /* @escapeNotVerified */ __('Password') ?></span>
+                <span><?= $block->escapeHtml(__('Password')) ?></span>
             </label>
             <div class="admin__field-control">
                 <input id="login"
@@ -42,7 +43,7 @@
                        name="login[password]"
                        data-validate="{required:true}"
                        value=""
-                       placeholder="<?= /* @escapeNotVerified */ __('password') ?>"
+                       placeholder="<?= $block->escapeHtmlAttr(__('password')) ?>"
                        autocomplete="off"
                     />
             </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/login_buttons.phtml

@@ -8,6 +8,6 @@
     <button
         <?php $block->getUiId(); ?>
         class="action-login action-primary">
-        <span><?= /* @escapeNotVerified */ __('Sign in') ?></span>
+        <span><?= $block->escapeHtml(__('Sign in')) ?></span>
     </button>
 </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/overlay_popup.phtml

@@ -3,15 +3,12 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <div class="wrapper-popup">
     <div class="middle" id="anchor-content">
         <div id="page:main-container">
-        <?php if ($block->getChildHtml('left')): ?>
-            <div class="columns <?= /* @escapeNotVerified */ $block->getContainerCssClass() ?>" id="page:container">
+        <?php if ($block->getChildHtml('left')) : ?>
+            <div class="columns <?= $block->escapeHtmlAttr($block->getContainerCssClass()) ?>" id="page:container">
                 <div id="page:left" class="side-col">
                     <?= $block->getChildHtml('left') ?>
                 </div>
@@ -24,13 +21,13 @@
                     </div>
                 </div>
             </div>
-      <?php else: ?>
+        <?php else : ?>
           <div id="messages" data-container-for="messages"><?= $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?></div>
           <?= $block->getChildHtml('content') ?>
-      <?php endif; ?>
+        <?php endif; ?>
          </div>
     </div>
-    <?php if ($block->getChildHtml('footer')): ?>
+    <?php if ($block->getChildHtml('footer')) : ?>
     <div class="footer">
         <?= $block->getChildHtml('footer') ?>
     </div>

app/code/Magento/Backend/view/adminhtml/templates/admin/page.phtml

@@ -3,19 +3,16 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <?php /** @var $block \Magento\Backend\Block\Page */ ?>
 <!doctype html>
-<html lang="<?= /* @escapeNotVerified */ $block->getLang() ?>" class="no-js">
+<html lang="<?= $block->escapeHtmlAttr($block->getLang()) ?>" class="no-js">
 
 <head>
     <?= $block->getChildHtml('head') ?>
 </head>
 
-<body id="html-body"<?= $block->getBodyClass() ? ' class="' . $block->getBodyClass() . '"' : '' ?> data-container="body" data-mage-init='{"loaderAjax":{},"loader":{}}'>
+<body id="html-body" class="<?= $block->escapeHtmlAttr($block->getBodyClass()) ?>" data-container="body" data-mage-init='{"loaderAjax":{},"loader":{}}'>
     <div class="page-wrapper">
         <?= $block->getChildHtml('notification_window') ?>
         <?= $block->getChildHtml('global_notices') ?>
@@ -31,8 +28,8 @@
                 <?= $block->getLayout()->getMessagesBlock()->getGroupedHtml() ?>
             </div>
             <?= $block->getChildHtml('page_main_actions') ?>
-            <?php if ($block->getChildHtml('left')): ?>
-                <div id="page:main-container" class="<?= /* @escapeNotVerified */ $block->getContainerCssClass() ?> col-2-left-layout">
+            <?php if ($block->getChildHtml('left')) : ?>
+                <div id="page:main-container" class="<?= $block->escapeHtmlAttr($block->getContainerCssClass()) ?> col-2-left-layout">
                     <div class="main-col" id="content">
                         <?= $block->getChildHtml('content') ?>
                     </div>
@@ -41,7 +38,7 @@
                         <?= $block->getChildHtml('left') ?>
                     </div>
                 </div>
-            <?php else: ?>
+            <?php else : ?>
                 <div id="page:main-container" class="col-1-layout">
                     <?= $block->getChildHtml('content') ?>
                 </div>

app/code/Magento/Backend/view/adminhtml/templates/dashboard/graph.phtml

@@ -3,33 +3,33 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
-
 ?>
 <div class="dashboard-diagram">
     <div class="dashboard-diagram-switcher">
         <label for="order_<?= $block->getHtmlId() ?>_period"
-               class="label"><?= /* @escapeNotVerified */ __('Select Range:') ?></label>
+               class="label"><?= $block->escapeHtml(__('Select Range:')) ?></label>
         <select name="period" id="order_<?= $block->getHtmlId() ?>_period"
                 onchange="changeDiagramsPeriod(this);" class="admin__control-select">
-            <?php foreach ($this->helper('Magento\Backend\Helper\Dashboard\Data')->getDatePeriods() as $value => $label): ?>
-                <?php if (in_array($value, ['custom'])) {
+            <?php //phpcs:disable ?>
+            <?php foreach ($this->helper(\Magento\Backend\Helper\Dashboard\Data::class)->getDatePeriods() as $value => $label) : ?>
+                <?php
+                //phpcs:enable
+                if (in_array($value, ['custom'])) {
                     continue;
                 } ?>
-                <option value="<?= /* @escapeNotVerified */ $value ?>"
-                    <?php if ($block->getRequest()->getParam('period') == $value): ?> selected="selected"<?php endif; ?>
-                    ><?= /* @escapeNotVerified */ $label ?></option>
+                <option value="<?= /* @noEscape */ $value ?>"
+                    <?php if ($block->getRequest()->getParam('period') == $value) : ?> selected="selected"<?php endif; ?>
+                    ><?= $block->escapeHtml($label) ?></option>
             <?php endforeach; ?>
         </select>
     </div>
-    <?php if ($block->getCount()): ?>
+    <?php if ($block->getCount()) : ?>
     <div class="dashboard-diagram-image">
-        <img src="<?= /* @escapeNotVerified */ $block->getChartUrl(false) ?>" class="dashboard-diagram-chart" alt="Chart" title="Chart" />
+        <img src="<?= $block->escapeUrl($block->getChartUrl(false)) ?>" class="dashboard-diagram-chart" alt="Chart" title="Chart" />
     </div>
-    <?php else: ?>
+    <?php else : ?>
     <div class="dashboard-diagram-nodata">
-        <span><?= /* @escapeNotVerified */ __('No Data Found') ?></span>
+        <span><?= $block->escapeHtml(__('No Data Found')) ?></span>
     </div>
     <?php endif; ?>
 </div>

app/code/Magento/Backend/view/adminhtml/templates/dashboard/graph/disabled.phtml

@@ -3,9 +3,7 @@
  * Copyright © Magento, Inc. All rights reserved.
  * See COPYING.txt for license details.
  */
-
-// @codingStandardsIgnoreFile
 ?>
 <div class="dashboard-diagram-disabled">
-    <?= /* @escapeNotVerified */ __('Chart is disabled. To enable the chart, click <a href="%1">here</a>.', $block->getConfigUrl()) ?>
+    <?= /* @noEscape */ __('Chart is disabled. To enable the chart, click <a href="%1">here</a>.', $block->escapeUrl($block->getConfigUrl())) ?>
 </div>