Skip to content

Chore: Payment - Replace Block Escaping with Escaper #37061

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Chore: Payment - Replace Block Escaping with Escaper #37061

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 21 additions & 17 deletions app/code/Magento/Payment/view/adminhtml/templates/form/cc.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,41 +3,45 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @var \Magento\Payment\Block\Adminhtml\Transparent\Form $block
* @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
*/
$code = $block->escapeHtml($block->getMethodCode());
use Magento\Framework\Escaper;
use Magento\Framework\View\Helper\SecureHtmlRenderer;
use Magento\Payment\Block\Adminhtml\Transparent\Form;

/** @var Escaper $escaper */
/** @var Form $block */
/** @var SecureHtmlRenderer $secureRenderer */
$code = $escaper->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpMonth = $block->getInfoData('cc_exp_month');
$ccExpYear = $block->getInfoData('cc_exp_year');
?>
<fieldset class="admin__fieldset payment-method" id="payment_form_<?= /* @noEscape */ $code ?>">
<div class="field-type admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_type">
<span><?= $block->escapeHtml(__('Credit Card Type')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Type')) ?></span>
</label>
<div class="admin__field-control">
<select id="<?= /* @noEscape */ $code ?>_cc_type" name="payment[cc_type]"
class="required-entry validate-cc-type-select admin__control-select">
<option value=""></option>
<?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName): ?>
<option value="<?= $block->escapeHtml($typeCode) ?>"
<option value="<?= $escaper->escapeHtml($typeCode) ?>"
<?php if ($typeCode == $ccType): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($typeName) ?>
<?= $escaper->escapeHtml($typeName) ?>
</option>
<?php endforeach ?>
</select>
</div>
</div>
<div class="field-number admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_number">
<span><?= $block->escapeHtml(__('Credit Card Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text" id="<?= /* @noEscape */ $code ?>_cc_number" name="payment[cc_number]"
title="<?= $block->escapeHtml(__('Credit Card Number')) ?>"
title="<?= $escaper->escapeHtml(__('Credit Card Number')) ?>"
class="admin__control-text validate-cc-number"
value="<?= /* @noEscape */ $block->getInfoData('cc_number') ?>"/>
<?= /* @noEscape */ $secureRenderer->renderEventListenerAsTag(
Expand All @@ -59,24 +63,24 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
</div>
<div class="field-date admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_expiration">
<span><?= $block->escapeHtml(__('Expiration Date')) ?></span>
<span><?= $escaper->escapeHtml(__('Expiration Date')) ?></span>
</label>
<div class="admin__field-control">
<select id="<?= /* @noEscape */ $code ?>_expiration" name="payment[cc_exp_month]"
class="admin__control-select admin__control-select-month validate-cc-exp required-entry">
<?php foreach ($block->getCcMonths() as $k => $v): ?>
<option value="<?= $block->escapeHtml($k) ?>"
<option value="<?= $escaper->escapeHtml($k) ?>"
<?php if ($k == $ccExpMonth): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach; ?>
</select>
<select id="<?= /* @noEscape */ $code ?>_expiration_yr" name="payment[cc_exp_year]"
class="admin__control-select admin__control-select-year required-entry">
<?php foreach ($block->getCcYears() as $k => $v): ?>
<option value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
<option value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpYear): ?>selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -86,10 +90,10 @@ $ccExpYear = $block->getInfoData('cc_exp_year');
<?php if ($block->hasVerification()): ?>
<div class="field-number required admin__field _required">
<label class="admin__field-label" for="<?= /* @noEscape */ $code ?>_cc_cid">
<span><?= $block->escapeHtml(__('Card Verification Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Card Verification Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text" title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
<input type="text" title="<?= $escaper->escapeHtml(__('Card Verification Number')) ?>"
class="required-entry validate-cc-cvn admin__control-cvn admin__control-text"
id="<?= /* @noEscape */ $code ?>_cc_cid"
name="payment[cc_cid]" value="<?= /* @noEscape */ $block->getInfoData('cc_cid') ?>"/>
Expand Down
16 changes: 9 additions & 7 deletions app/code/Magento/Payment/view/adminhtml/templates/info/default.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,23 +3,25 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @var \Magento\Payment\Block\Info $block
* @see \Magento\Payment\Block\Info
*/
use Magento\Framework\Escaper;
use Magento\Payment\Block\Info;

/** @var Escaper $escaper */
/** @var Info $block */
$specificInfo = $block->getSpecificInformation();
$paymentTitle = $block->getMethod()->getConfigData('title', $block->getInfo()->getOrder()->getStoreId());
?>
<?= $block->escapeHtml($paymentTitle) ?>
<?= $escaper->escapeHtml($paymentTitle) ?>

<?php if ($specificInfo) : ?>
<table class="data-table admin__table-secondary">
<?php foreach ($specificInfo as $label => $value) : ?>
<tr>
<th><?= $block->escapeHtml($label) ?>:</th>
<th><?= $escaper->escapeHtml($label) ?>:</th>
<td>
<?= /* @noEscape */ nl2br($block->escapeHtml(implode("\n", $block->getValueAsArray($value, true)))) ?>
<?= /* @noEscape */ nl2br($escaper->escapeHtml(implode("\n", $block->getValueAsArray($value, true)))) ?>
</td>
</tr>
<?php endforeach; ?>
Expand Down
14 changes: 8 additions & 6 deletions app/code/Magento/Payment/view/adminhtml/templates/info/instructions.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,18 +3,20 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @var \Magento\Payment\Block\Info $block
* @see \Magento\Payment\Block\Info
*/
use Magento\Framework\Escaper;
use Magento\Payment\Block\Info;

/** @var Escaper $escaper */
/** @var Info $block */
?>
<p><?= $block->escapeHtml($block->getMethod()->getTitle()) ?></p>
<p><?= $escaper->escapeHtml($block->getMethod()->getTitle()) ?></p>
<?php if ($block->getInstructions()) : ?>
<table>
<tbody>
<tr>
<td><?= /* @noEscape */ nl2br($block->escapeHtml($block->getInstructions())) ?></td>
<td><?= /* @noEscape */ nl2br($escaper->escapeHtml($block->getInstructions())) ?></td>
</tr>
</tbody>
</table>
Expand Down
18 changes: 10 additions & 8 deletions app/code/Magento/Payment/view/adminhtml/templates/info/pdf/default.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,21 +3,23 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @see \Magento\Payment\Block\Info
* @var \Magento\Payment\Block\Info $block
*/
use Magento\Framework\Escaper;
use Magento\Payment\Block\Info;

/** @var Escaper $escaper */
/** @var Info $block */
$paymentTitle = $block->getMethod()->getConfigData('title', $block->getInfo()->getOrder()->getStoreId());
?>
<?= $block->escapeHtml($paymentTitle) ?>{{pdf_row_separator}}
<?= $escaper->escapeHtml($paymentTitle) ?>{{pdf_row_separator}}

<?php if ($specificInfo = $block->getSpecificInformation()) : ?>
<?php foreach ($specificInfo as $label => $value) : ?>
<?= $block->escapeHtml($label) ?>:
<?= $block->escapeHtml(implode(' ', $block->getValueAsArray($value))) ?>
<?= $escaper->escapeHtml($label) ?>:
<?= $escaper->escapeHtml(implode(' ', $block->getValueAsArray($value))) ?>
{{pdf_row_separator}}
<?php endforeach; ?>
<?php endif;?>

<?= $block->escapeHtml(implode('{{pdf_row_separator}}', $block->getChildPdfAsArray())) ?>
<?= $escaper->escapeHtml(implode('{{pdf_row_separator}}', $block->getChildPdfAsArray())) ?>
15 changes: 9 additions & 6 deletions app/code/Magento/Payment/view/adminhtml/templates/info/substitution.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,14 +3,17 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @var \Magento\Payment\Block\Info $block
*/
use Magento\Framework\Escaper;
use Magento\Payment\Block\Info;

/** @var Escaper $escaper */
/** @var Info $block */
?>
<div>
<?= $block->getMethod()->getTitle()
? $block->escapeHtml($block->getMethod()->getTitle())
: $block->escapeHtml(__('Payment method')); ?>
<?= $block->escapeHtml(__(' is not available. You still can process offline actions.')) ?>
? $escaper->escapeHtml($block->getMethod()->getTitle())
: $escaper->escapeHtml(__('Payment method')); ?>
<?= $escaper->escapeHtml(__(' is not available. You still can process offline actions.')) ?>
</div>
53 changes: 29 additions & 24 deletions app/code/Magento/Payment/view/adminhtml/templates/transparent/form.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,16 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/** @var \Magento\Payment\Block\Transparent\Form $block */
/** @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer */
use Magento\Framework\Escaper;
use Magento\Framework\View\Helper\SecureHtmlRenderer;
use Magento\Payment\Block\Transparent\Form;

$code = $block->escapeHtml($block->getMethodCode());
/** @var Escaper $escaper */
/** @var SecureHtmlRenderer $secureRenderer */
/** @var Form $block */
$code = $escaper->escapeHtml($block->getMethodCode());
$ccType = $block->getInfoData('cc_type');
$ccExpYear = $block->getInfoData('cc_exp_year');
$ccExpMonth = $block->getInfoData('cc_exp_month');
Expand All @@ -19,7 +24,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
allowtransparency="true"
frameborder="0"
name="iframeTransparent"
src="<?= $block->escapeUrl($block->getViewFileUrl('blank.html')) ?>"></iframe>
src="<?= $escaper->escapeUrl($block->getViewFileUrl('blank.html')) ?>"></iframe>
<?= /* @noEscape */ $secureRenderer->renderStyleAsTag(
"display: none; width: 100%; background-color: transparent;",
'iframe#' . /* @noEscape */ $code . '-transparent-iframe'
Expand All @@ -29,48 +34,48 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
class="admin__fieldset"
data-mage-init='{
"transparent":{
"cardFieldsMap":<?= $block->escapeHtml($block->getCardFieldsMap()) ?>,
"controller":"<?= $block->escapeHtml($block->getRequest()->getControllerName()) ?>",
"cardFieldsMap":<?= $escaper->escapeHtml($block->getCardFieldsMap()) ?>,
"controller":"<?= $escaper->escapeHtml($block->getRequest()->getControllerName()) ?>",
"gateway":"<?= /* @noEscape */ $code ?>",
"dateDelim":"<?= $block->escapeHtml($block->getDateDelim()) ?>",
"orderSaveUrl":"<?= $block->escapeUrl($block->getOrderUrl()) ?>",
"cgiUrl":"<?= $block->escapeUrl($block->getCgiUrl()) ?>",
"expireYearLength":"<?= $block->escapeHtml($block->getMethodConfigData('cc_year_length')) ?>",
"nativeAction":"<?= $block->escapeUrl(
"dateDelim":"<?= $escaper->escapeHtml($block->getDateDelim()) ?>",
"orderSaveUrl":"<?= $escaper->escapeUrl($block->getOrderUrl()) ?>",
"cgiUrl":"<?= $escaper->escapeUrl($block->getCgiUrl()) ?>",
"expireYearLength":"<?= $escaper->escapeHtml($block->getMethodConfigData('cc_year_length')) ?>",
"nativeAction":"<?= $escaper->escapeUrl(
$block->getUrl('*/*/save', ['_secure' => $block->getRequest()->isSecure()])
) ?>"
}, "validation":[]}'>
<div class="admin__field _required">
<label for="<?= /* @noEscape */ $code ?>_cc_type" class="admin__field-label">
<span><?= $block->escapeHtml(__('Credit Card Type')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Type')) ?></span>
</label>
<div class="admin__field-control">
<select id="<?= /* @noEscape */ $code ?>_cc_type"
class="admin__control-select"
data-container="<?= /* @noEscape */ $code ?>-cc-type"
data-validate='{required:true, "validate-cc-type-select":"#<?= /* @noEscape */ $code ?>_cc_number"}'
name="payment[cc_type]">
<option value=""><?= $block->escapeHtml(__('Please Select')) ?></option>
<option value=""><?= $escaper->escapeHtml(__('Please Select')) ?></option>
<?php foreach ($block->getCcAvailableTypes() as $typeCode => $typeName): ?>
<option
value="<?= $block->escapeHtml($typeCode) ?>"
value="<?= $escaper->escapeHtml($typeCode) ?>"
<?php if ($typeCode == $ccType): ?> selected="selected"<?php endif ?>>
<?= $block->escapeHtml($typeName) ?>
<?= $escaper->escapeHtml($typeName) ?>
</option>
<?php endforeach ?>
</select>
</div>
</div>
<div class="admin__field _required field-number">
<label for="<?= /* @noEscape */ $code ?>_cc_number" class="admin__field-label">
<span><?= $block->escapeHtml(__('Credit Card Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Credit Card Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text"
id="<?= /* @noEscape */ $code ?>_cc_number"
data-container="<?= /* @noEscape */ $code ?>-cc-number"
name="payment[cc_number]"
title="<?= $block->escapeHtml(__('Credit Card Number')) ?>"
title="<?= $escaper->escapeHtml(__('Credit Card Number')) ?>"
class="admin__control-text"
value=""
data-validate='{
Expand Down Expand Up @@ -98,7 +103,7 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
</div>
<div class="admin__field _required field-date" id="<?= /* @noEscape */ $code ?>_cc_type_exp_div">
<label for="<?= /* @noEscape */ $code ?>_expiration" class="admin__field-label">
<span><?= $block->escapeHtml(__('Expiration Date')) ?></span>
<span><?= $escaper->escapeHtml(__('Expiration Date')) ?></span>
</label>

<div class="admin__field-control">
Expand All @@ -109,9 +114,9 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
name="payment[cc_exp_month]">
<?php foreach ($block->getCcMonths() as $k => $v): ?>
<option
value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpMonth): ?> selected="selected"<?php endif; ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -122,9 +127,9 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
name="payment[cc_exp_year]">
<?php foreach ($block->getCcYears() as $k => $v): ?>
<option
value="<?= /* @noEscape */ $k ? $block->escapeHtml($k) : '' ?>"
value="<?= /* @noEscape */ $k ? $escaper->escapeHtml($k) : '' ?>"
<?php if ($k == $ccExpYear): ?> selected="selected"<?php endif ?>>
<?= $block->escapeHtml($v) ?>
<?= $escaper->escapeHtml($v) ?>
</option>
<?php endforeach ?>
</select>
Expand All @@ -133,10 +138,10 @@ $ccExpMonth = $block->getInfoData('cc_exp_month');
<?php if ($block->hasVerification()): ?>
<div class="admin__field _required field-cvv" id="<?= /* @noEscape */ $code ?>_cc_type_cvv_div">
<label for="<?= /* @noEscape */ $code ?>_cc_cid" class="admin__field-label">
<span><?= $block->escapeHtml(__('Card Verification Number')) ?></span>
<span><?= $escaper->escapeHtml(__('Card Verification Number')) ?></span>
</label>
<div class="admin__field-control">
<input type="text" title="<?= $block->escapeHtml(__('Card Verification Number')) ?>"
<input type="text" title="<?= $escaper->escapeHtml(__('Card Verification Number')) ?>"
data-container="<?= /* @noEscape */ $code ?>-cc-cvv"
class="admin__control-text cvv"
id="<?= /* @noEscape */ $code ?>_cc_cid" name="payment[cc_cid]"
Expand Down
18 changes: 11 additions & 7 deletions app/code/Magento/Payment/view/adminhtml/templates/transparent/iframe.phtml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,15 @@
* Copyright © Magento, Inc. All rights reserved.
* See COPYING.txt for license details.
*/
declare(strict_types=1);

/**
* @var \Magento\Payment\Block\Transparent\Iframe $block
* @var \Magento\Framework\View\Helper\SecureHtmlRenderer $secureRenderer
*/
use Magento\Framework\Escaper;
use Magento\Framework\View\Helper\SecureHtmlRenderer;
use Magento\Payment\Block\Transparent\Iframe;

/** @var Escaper $escaper */
/** @var SecureHtmlRenderer $secureRenderer */
/** @var Iframe $block */
$params = $block->getParams();

/** @var \Magento\Framework\Json\Helper\Data $jsonHelper */
Expand All @@ -18,12 +22,12 @@ $jsonHelper = $block->getData('jsonHelper');
<?php $scriptString = '' ?>
<?php if (isset($params['redirect'])): ?>
<?php $scriptString .= <<<script
window.location="{$block->escapeJs($params['redirect'])}";
window.location="{$escaper->escapeJs($params['redirect'])}";
script;
?>
<?php elseif (isset($params['redirect_parent'])): ?>
<?php $scriptString .= <<<script
window.top.location="{$block->escapeJs($params['redirect_parent'])}";
window.top.location="{$escaper->escapeJs($params['redirect_parent'])}";
script;
?>
<?php elseif (isset($params['error_msg'])): ?>
Expand All @@ -34,7 +38,7 @@ script;
?>
<?php elseif (isset($params['order_success'])): ?>
<?php $scriptString .= <<<script
window.top.location = "{$block->escapeJs($params['order_success'])}";
window.top.location = "{$escaper->escapeJs($params['order_success'])}";
script;
?>
<?php else: ?>
Expand Down
Loading